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Abstract. 


This thesis is concerned with, the, development. of matherpatical tooks. for. reasoning 
about computer programs... The. approach. is. to design and. investigate the prope 
various dynamic logics with an. emphasis on. useful expressive f “ and adeqy 


First, rigorous definitions of the propositional and, first-order dynamic logics 
are given,. with .an emphasis op the. flexi . a by. Jeawing, unspecified the class 
of programs which these Jogics can discuss., A large. pection, of she eps obtained to. 
date in the investigation of dynamic. re 


dynamic logics relative.to-engdmutical universes. Suck 2 and 
proved arithmetically complete for the regular (flowcharts) and sobenicinee al recutaiee | 
programs) cases. The notions of diverging and failing are then introduced, with the aid 
of which the concept of the focal, correctness of a nondeten unis eneram is.definad and 
the concept of a weakest precondition. clarified... A..detaiied in. an of the 

properties of diverging. and. failing. is then. carried. out,. including, the. construction of 
arithmetically complete axtomatizations of. bath, .the.requiae and, context-free: logics 
‘obtained by supplying dynamic logic with the appa to oer diverging directly. 


Throughout, the presentation presente need. tobe ane es interesting 
properties of programs.and ae ee ee ene ee 


Thesis Supervisor: Vaughan R. Pratt, shussctate Professor of Computer Science. 
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O. Introduction. 


At one time or another, every programmer has come across the need to be able to 
state some property of his pregram or programs in an Srambiguows way. Quite often this 
property is related in some way to-the correctness of she piagiam “this program sorts 
its input in‘ascending-order", "this program right ~ justifies a. parugiagh of imput text” 
etc. Often. it isan undesirable property-that is.of dnterése” “this program contains an 
infinite loop", “this PL /1 translation of this: Rertran pregram-does ‘not behave exactly 
as the original" etc. Certainly these statements are nat precise and cannot be taken as a 
basis for a serious discussion about the program én question. Moreover, the need might 
arise, whether initiated by the programmer : hienaeit orb} wi eaeiider, to supply: sortie kind 
of ha Ga the truth of such claims. 


In this thesis we eiewaah ourselves the development of «mathematica! tools for 
expressing interesting assertions. about programe and fon proving thise of ‘them which, in = 
well defined sense, are true. These two concerns, 40 vendiproving, will serve as) 
landmarks throughout the thesis. Various formal egies redefined; the motivation for 
constructing them lying in the kinds of things we would tike to be able to express; then 
axiom systems are developed iar thers, tee ene eee eae Oe eee ele 
to prove those things. This,-then, explains our title. 


‘ We believe that the virtues of research in this area are mainly in providing a 
sound and rigorous foundational basis upon which reasoning about programs can be carried 
out. It is not essential, in our opinion, to carry out 8 proof of the correctness of 
every program one writes, and certainly not a proof within some formal axiom system. 
However, it is important to possess the ability of doing so when required. In addition, 
work in logics of programs provides a theoretical basis fer developing computer-aided 
tools for reasoning about programs, such as interactive verifiers or automatic 
proof-checkers. We are also of the opinion that, much as a mathematician, when proving a 
theorem in algebraic topology, benefits from his knowledge of, say, the basics of 
predicate calculus, an understanding of issues such as those discussed in this thesis 
results in a subconscious accumulation of important programming knowledge. This 
' knowledge, attainable even at the level of an ordinary programmer, includes understanding 
the inner workings of such basic programming concepts as or choice, iteration, 
recursion, infinite computations etc. 
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The remainder of this introduction is. devoted to a brief. historical account of 
work which influenced the development. of the material presented (Section 0.1), a 
Chapter-by-Chapter summary. and description of what ts tp come. (Section. 0.2) and a short” 
explanation of the policy adopted, by which some. work other, than the author's own is also 
included (Section 0.3). 


0.1 History. 


Early work towards providing mathematical tools for reasoning about programs. dates 
back to Turing [65] and von Neumann (661. However,.it is generally accepted that the. 
first serious attempts solely devoted to that end are those of Floyd C173 and Naur L461.0n | 
the invariant assertion method for proving the partial correctness of programs, ‘followed 
by the introduction, be Hoare [27], of an axiom system iain that method, . 


The senek we present in this thesis. ig. to. a great. extent based on, Pratt's £52) . 
foundational study of the semantics of Floyd: -Hoare logic, Un. fact, a preliminary version 
of [52] in. the form of class notes, was. written by. Pratt in. Apeit 1974.) Itisin (52). 
that the “modal logic of, programs”. (later. termed dynamic logtc,.or DL, in (22) was 
suggested asa. powerful tool, touching off. work by, Kick 2nd Ladner C16] on the . 

Propositional version, and, further work by. Harel, .B Pratt.{221, Harel and. Pratt 
[25], Pratt (S3],.Harel [20], C211,, Parikh 1481, £491,. ermen. pis Paterson [9] and more. 


The idea of constructing first-order-like logics for rciaeaing about programs is 
not new. A logic quite. similar. in conception to. DL, lgnritamic logic, has been defined . 
by Salwicki [59] following work of Engeler C15}. Net unlike the situation with DL, 
Salwicki's original, Paper. stimulated researchers. at the. ‘University of Warsaw. and resuked . 
in extensive study branching off in various directions... Some. sample papers are Mirkowska 
(41), Kreczmar [33], Banachowski (6) and Rasiowa (5S). A survey of their work can be 
found in. C7). Interestingly, a, definition of dynamic logic appears in an appendix-of 
Schwarz (60] and is credited. there. to Reynolds... _Howeyer, the idea. Was not pursued any 
further there. Also, a very: similar logic | has been. st d ' for quite. a while by 
Constable, and reported on in (111. Some comments concerning the relationships holding 
between DL, algorithmic logic, and Constable's Jogic appear in cali. 


A large amount of related work, which has, been. af considerable help in developing 
the material presented, has been published over the years. Some notable a ae are 


Manna's work in [37] and £383, on the formalization of Floyd's method and related 
concepts, Cook's [12] relative completeness result for Hoare’s axiom system, the work of 

de Bakker et al (33, £43 and £53 and that of Hitchcork ‘and Park C26) on recursive’ programs, 
the completeness resutes of Harel, Pruett and ‘Stavt £25) und Coretick 197 for: recursive 
programs, and Dijkstra's £13] togic of total correctness. 


0.2 Synopsis. 


This thesis consists of seven chapters which are organized into two parts. At the 
end of this section we show <a a eS can be read 
independently. 


Part | is concerned with fogics which reason about programs based upon their 
input-output behavior. Here programs (nondeterministic ones in the general case) are 
viewed as binary relations on States, with thre teitamtiontihht 2 pair’ ‘Of states is related — 
via a program o iff starting tn the first, can’ seriy | 
notions relevant to this tevel of wescription are the ‘onie aitertitig’ that 
final states accesstble from a given stare vin the ‘piugraity, ; and tte Ueial, assertirig that 
there exists such a final state ie which *P te trae. We den oF dynthiic logic, due in 
large to Pratt (523, is to aligmerit a clasiical’ “static” tagic such: as pretiicate calculus 
with primitives for expressing these notions, antl to die"tdess borrowed ‘from Kripke's [34] 
work on modal logic for defining the semantics of the reauiting language. 


Chapter 1 provides a definition of PDL, the propositional ‘version of dynamic 
logic, together with resutts concerning (w) ‘the vecidalititty ‘df tts validity probiem, 
(b) the power obtained by attowing Propositional programs: ‘$e tex their ‘environment, and 
(c) the problem of completely axionhenhing tt. ’ 


In Chapter 2, the first order version of dynantic ‘tegic over regular (Flowchart) 
programs, DL, is rigorously defied using the notions ‘of state,’ universe, and 
uninterpreted symbols. It is shown that many triteresting ahd ‘welt known properties of 
programs, suth as partial correctness and equivalence, ‘cat be quite succinetly ‘expressed — 
as formulae of DL. Section 2.3 is aimed at showing that the class of programs allowed in 
DL is in fact a parameter, and that different classes of programs give rise to different 
variants of DL. Some open problems concerning the — expromve power of these 
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variations are stated. Section 2.4 contains results which show that validity for DL and. 
some simple sublanguages is extremely hard to decide... 


In Chapter 3 we show how an intuitive way in which assertions about programs can 
be proved.is captured formally. by allowing the reasoning to be carried out in a 
first-order language in which, besides any other domain. of discourse, the natural numbers. 
and oe on. pent have their standard emai aannaniaient Fhe is done by introducing 
concise axicwabization of DL which is anew relative to. any si tne: We do not 
require programs to be written over these universes, but siace.agy universe can be 
extended to an arithmetical one, this kind of reasoning can always, in principle, be 
carried out. We show, in Section 3.4, that arithmetical completeness.is strongly related. 
to Cook's £12] notion of relative completeness, and also discuss the approach of supplying 
DL with an- tofiniary, but: bicaaid complete, axiomatization. 


In 5 Chisels 4 we cera the: definitions and-yesuks of Chapter 3 t0 to the case in |. 
which the programs are allowed to be recursive. The.recursive program construct 
introduced. is simple. enough so that a clear. analogy. between. re ng about iteration and 
recursion emerges. In particular, the ax Hem. in Sectign.4.3, of the resulting. 
logic CFDL is.far more natural.and concise. than. wok bane eeu from suis the 
relevant Aver ate . 
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Part Il is concerned with the two operational notions of seca and failing 
(i.e. entering an "infinite loop” and. aborting dug. to the failing of a test) which are . 
captured naturally by computation trees, These. trees: CANTY. in their leaves the 
information present in the binary relations of Past |, but.also contain information. 
regarding eg. the presence of divergences and faijures. In.Chapter S we define these new . 
concepts and immediately apply them.to the probjem.of defining,a plausible notion of the 
total correctness of a general nondeterministic program. As it turns out, executing a 
program corresponds.to traversing its. computation sree, a. task. for: which there,are four 
natural methods, dual to one another. We show that each of these methods gives rise to a 
different notion of total correctness, and hence to a different notion of the weakest 
precondition which, if true before execution, guarantees total correctness. A detailed 
analysis is carried out in Sections 5.4 and 5.5 aimed at showing which (if any) of our | 
four notions is the ene.described.informally by Dijkatza-£13).apd- which has been widely 
adopted for somewhat mysterious reatons. lee 
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Chapter 6 is devoted te investigating the mathematical properties of diverging and 
failing. In particular, it is shown in Section 6.1 thet both these notions are 
expressible 
in DL, albeit by complicated formulae which have seme undesirable ‘properties: In Section 
6.2 we augment DL to DL* by providing it with the power to express diverging directly, and 
show that this augmentation gives rise to a surpritingly elegant and natural 
arithmetically complete axtomatization of the notion of diverging, to be contrasted with 
the axiomatization obtained: by transisting this notiew inte: tte ‘DL equivalent. and then 
relying on the axiomatization of DL. In Section 63 we shew that-there is a pretty 
pattern of duatities associated with the construction of arithmetical: axiom systems for DL 
and DL*. fn Section 6.4 we we the observations inapired by this pattern to obtain a 
straightforward axtomatization of « retated togic, ADL. 


Chapter 7 is concerned with supplying results analogeus to those of Chapter 6 for 
the case of recursive programs, Here special methads have to be developed in order to be 
able to completely axtomatize crDt*, be. CrP. ec ateenconalaieid diverging, and in addition 
we can only get halfway through showing: igh to express diverging. 
Consequentty,, a question which arises 1s that of whither the! renutte these sections ae eee d 
indicate the existence of sorte inherent ditfienity ti reduiing whout recursive. progranis. 

“We cannot supply: ‘more than intuition towards showering 1: “Sectios Ta contains'a 
definition of plausible notions of diverging and failing which do not depend on 
computation trees and ue h tactanud to sasiass acid of — too. 


As far as reading the thesis is concerned, stir veedig Chaetre'¥ and 2 (which 
are a prerequisite for any other chapter) the reader wilt have a good understanding of the — 
basics of dynamic tegic. He can then read Chapter 5 twit chenpleting =: reading aimed at . 
grasping the main definitions for the regular case, Seqtendes 1,2,3 of 1,2,3,¢ confine the 
reader to dynamic logic (no extensions) but, in addition; ‘provide a treatment of — 
arithmeticat compteteness for the reguiar and context+#ree quses reipactively, One might 
also read 1,2,3,5,6 thas skipping anything to do‘ witli recursive programs. 


Qa.3 Credits. 
The occasion of writing this thesis hes voaiian: sieak-eiiewsiasy (and excuse) 


for preparing a coherent and comprehensive description’ of the Werk done recently ( mostly 
by members of the Theory of Computation Group of the Laboratory of Computer Science at 
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MIT) concerning a new approach towards reasoning about programs, to which the general term 
dynamic logic has been attached. This apportunity.has been taken advantage of, and 
consequently some of the material in the thesis is not due to the author. Any result 

which is not original with the author is stated with a reference to its originator. Also, 

we do not supply proofs of results which are not our own, but gather occasionally corgment 
briefly as to the method involved. A consequence is the fact that many results are ‘stated 
here for the first time and, as of now, no adequate documentation of their proofs is 
available... We feel, however, that these technicalities. are irrelevant. when balanced 

against the virtues of the kind of presentation we. have chosen. . Foltowing. is a quick 
reference to. the notable parts of the thesis which are: hot ores ‘with the quthor,, most 

of which are included-in Chapters Land a. 


The ideas upon which the definition. of PDL. nm based are. due to V R. fed and 
were published, in somewhat different form, in (52). The definition. of PDL in Chapter i 
is due to M.J. Fischer and R:E. Ladner and was published in C16). The author's own 
contributions in that chapter are confined. to the introduction of EPDL in Section LL. 
and its investigation in Appendix A. The material, in Chapter 2: also stemming from the 
ideas of Pratt.(S2], was developed over along period, qointly by AR, Meyer, VR. Pratt ‘ 
and the author (with the exception of Section 24.with which the author | had. little to do). 
A preliminary version of the rigorous definition of DL’ presented here was published in 
(221. 


Some of the ideas present in the definition of the computation trees in Section 
5.2, in particular the concept of failing, were: worked gut by the author jointly with VR. 
Pratt, and appeared in preliminary form in (251. The motivation for developing the 
material in that section was influenced in large by discussions. with N..Dershowitz. As 
noted in the text, the central theorem in Section 6.1.1 is. based.on.a result of Winkimann — 
C71). Section 7.4 is based upon an idea of AR. Meyer. 


I would like to take this opportunity to express my gratitude to the 
aforementioned individuals for allowing me to include their own work in this thesis. 
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PART I: Binary-Relation Based Logics. 


1. Regular Propositional Dynamic Logit (PDL). 


PDL is the:propesitionat version of dynamic togic, and was defined by ‘MJ. Fischer 
and R.E. Ladner:in (16) “Tro): play: a tote in the dogic'of programs ‘analogous ‘to the role 
the propositional calculus plays:in the classical fiest-ondit togic.” ‘They comment, “We | 
have attempted to abstract from’ Lwork on ‘logics of pregrams] the ‘pure’ togical structure 
underlying: these formal-systems. We feel a thorough’ ‘inderstenting of this structure is a 
prerequisite to obtaining a.good.grasp on eioaanire emai weit more — 
systems, just-as classical: — anid . 
first-order predicate caiculus.” 


We first define an-elementary version of PDL (EPDL) aimed at capturing the 
structure of the interface between ‘programs ‘ant: formutae pegetitess of the kints of 
programs involved. ‘We then define PDL: ‘essentially as: ‘toi, sina State some results 
concerning ‘PDL and ‘a ott of variations ‘POL, for 120. | 


11 Definitions. 


1.1.1. Elementary FDL (PDL ° 


EPDL ‘is ‘basicatty a modal lagic with possibly: susee then: one: modality. 
Consequently, the semantics we providefor — —— £243 ‘of modal eis 
extended to atiow many miodatities,  ~ . 


Syntax: 


We have two sets of symbols, AF and AP, standing for atomic formulae and atomic 
Pregrenns: We use p, qr anda, b,.. respectively to denote elements of these two sets 


The set of well-formed formulae of EPDL (EPDLwits) is defined inductively as 
follows: 


(1) :Allelements of AF are EPDL-wffs, - 
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(2) For every a in AP and EPDL-wffs P.and Q, 
(PvQ), -P and <a>P are EPDL-wffs. : 


We abbreviate ~( -Pv-Q) to PAQ, -PvQ ta P2Q, (P30) a(Q>P) to PEQ, :, 
_-and <a>-P tofaJP. We will often’ omit parentheses, using double spacing when | appropriate 
to prevent ambiguities. The construct <a>P is read “diamond -a. P", and tar *box-a P*. 


Semantics: 


“The central notion in the semantics of EPDL is that of a pike W, which is a 


will have to specify for each violet P and state ev, whether Pp ts qrue ins Gs 5 
satisfies P) or not. Hence it iS plausifile to define the’ méahing of such | a : formula as ‘the 
subset of W- consisting precisely of those sfates’ ‘which saristy’ it. Fuithe: , when 
viewing programs as objects which can “change the state of the world", it is plausible to 
define the meaning of # program as a binary Yélation on states, iricluding the pair (st) 
in that relation iff the program in question started in seated Can’ ‘indeed terminate in 

' state t. Thus our programs are nondeterministic; there can,’ for’ a. given $, be more than 
one f such that (3,4) is in that relation. 


See Se 


A structure S, then, is defined ay a triple Wie” ‘whine 
¥ jis a nonempty set, 
w: AF > gM and 
m: AP + ww | 


Thus, # and m provide the meanings for the basic formulae and programs (ie. AF and AP). 
wis extended inductively to the set of EPDL-wffs as follows. 
x(PVvQ) = #(P) u #(Q) = {s| séx(P) or séx(Q)}, 


w(>P) = W-w(P) = {s| sf (P)}, 
w(<a>P) = {s] (3e)((s,2)€m(a) and réx(P))}. 


Denoting s¢x(P) by seP and (5,0) €m( a) by sat and. ad: ‘ y ne free usage of 
conventional logical symbols in our seepestony we my ‘write for. Rast S 
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secaP iff Adee an eP) 


reading: “diamond-a P is.trye in state 5 iff there exists a sate : bable from s via a,- 
which satisfies P". Owe may then wnt en fo Ce Lae 9 on beer | 
~<a -PY we have . on 

st alP iff Vet st > &P) 
reading: “box-a P is true in state 5 iff every. state reachable from 5 via a satisfies Pes 


* Civen a structure Se( Wim) we say that an EPDL-wff Pis S-valid (and write. . 
= P) if for every s¢W we have #P. We say P is valid (and. waite PP) if it is S-valid | 


_ for every structure S. P is said to be S-satsfieh Sceme en’ meme or and: 
A ee ee ; vi mths oni ) of vale ‘EeD-wite 
(Lalp A <a>true) > {a>p, be oa where ru, shocerites fone. 


<a>(paq) > € <a>p A ‘(q), 
<a> pvq) ‘s ( <adp v <a). 


The first example states exe that wherever you go p holds and if furthermore 
YOU cant gO somewhere, (tem iE. can: SMITE: TILA ARE, 


At this point we refer the reader to Appendix A where we.define an interesting. 
relational atgebra which employs only two operations on releiiye: thy conventional 
compcattion operaey ae he nee ery een eee) ee a 

~e= f(sis}f VAC, e)}. 


We show there how to embed EPDL Wh ses, thang CPDL in a pure retational 


11.2 PDL. 


1S 
Syntax: 


Here too we have the two sets of symbols AF and AP, and in addition we require 
that AP contain one special element, — by 0, which carresponds to the empty: program. 


The set R of regular programs is defined inductively as follows: 
(1) Allelements of AP areinR, = 
(2) For alle and Bin R, (a;6), (auf) and a* are in R. 


The set of well-formed formulae of PDL ( PDL-wits) is defined inductivety siniitarly 
to EPDL: 
(1) All elements of AF are PDL-wffs, 
(2) For every a in R and PDL-wffs P and Q, 
(PvQ), -P and <a>P are PDL-wifs, 


_ We abbreviate as in Section 1.1.1. 
, Semantics: 


__ Here too we have the notion of a structure $= (Wy m), However, we are now 
obliged to extend m to the class of programs R This is Gene. a follows _ 


m(@) =¢, 
m(a;8) = m(a) ¢ m(B) = {(s,0)| (au) ((s,u)em(a) and (u seen(B))} 
m(auB) = m(a) u m(B) = {(s,¢)] (5,0) €m(a) or (s,¢)em(5)} 
m(a*) = (m(a))* = {(s,2)| (3120) (359,54 p54) 
(syzs and st and (Vi> 00 (C5595 444)€mCa)))) 


Here the double usages of U and * on both sides of the equation represent operations in the. 
formal language we are defining and operations on binary relations respectively; in the 
latter U is union and * is reflexive and transitive clasure. Thus, our programs are 
literally the regular expressions over the. alphabet AP, ‘with 6,.0;8, aus, and a* meaning 
“respectively "the empty program”, "do a followed by 8", “do-either a or 8 the choice being 
nondeterministic", and “do @ any (nonnegative), number of times,the choice being 
nondeterministic". Here "doing o 0 times” is like “doing nothing”, w is extended | 
inductively to the set of PDL-wits asin EPDL,. and the definitions of validity and 
satisfiability are the same too. The. following are ena of valid PDL-wffs: . 
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<aub>(prq) > ((¢<a>p A <adq) V (<b>p A <bdq)), 
[a*;a%lp = La*]p, 
(EC aja) "ip, A Ca;(aza)™I-p) * # (pa [a"patahe a (-p) >talp)). 


The last of these (due to A.A. Meyer). asserts the equirate - op re ef ne that 
p and -p bold shemnatively along arbitrary apa, 


Taking false to sbrevae pi th eloing ar ecampes of S-rah forrmsine 
where the structure S.is described by the self expl Ny re 


Bs 


<aub da" Ka ;( auc) <b>erue A Calfalse),, 
<aub>La™Ka;( aic)>(Obfelze A Cadtrue). 


1.2 Reaults. ; | 
Fiat we sate some straightforward consequences of Sar detinions and provide 

proofs of same. representative cases. 

Lemma 1.1: ‘For every PDL-wit P’ and 0, 0¢R, the following are valieit 


(a) CaP CeleePs 
(6) Cea Cx CY. 


Proof: We prove (2): Mas6IP it vile i iff + Weal iae x 
ufit) > dP) itr Vijul (sen A at) SPY itt Velo 2 Cig ¢ iP) aft 
Vul seu > Wi( nee > Ppy ag Vial see > UeeeY it “We 


\7 


Lemma 1.2: For every PDL-wff P and a€R, skla*IP iff for ey, n20 we have 
skLa JP, where a” is true? and a nel is a; a", 


Prooft sHLa*IP iff Ve(sa* > cP) iff Ve (Inds)5,, ica: A.A 
5,-1%5,, A 5,2¢) > cP) iff + YaVet a > #P). iff. for every m2, Ha"P. 7 


Lemma 1.3: For every atR and tabi P and Q the fowing are valid: 


Gi Cal{ PAQ). e (tale A . 430), 

(b) Cal(P3Q) > (La}P > [aIQ), 
(c) <e>(PvQ) & (<a>P v <a>Q), 
(d) <a>(PAQ) > (<a>? A.<a>Q). 


Proof: We prove (a). sFla(PAQ) iff Vi( sat > ee(PAQ)) dff Vesat >(FP A 
tFQ)) iff (Ve(sat > FP) A Ve(sat > Q)) iff se(CaIP ” Ca}Q). a 


Note that a trivial. counter-example to the other direction of both (b) and (d) is the 
structure with two states s.and ¢ in which P is trug‘only in s and Q only in t and in 
which we have both sas and sat. 


Theorem 14 (face and Ladner “a The validity problem: for PDL is decidable. 


This result is obtained by establishing a “finite model theorem” for PDL, stating that a 
PDL-wff is satisfiable iff.it is S-satisfiable for same structure S:in which the universe 

W is finite and in fact bounded by an exponential in the size of the af. ne — 
theorem essentially establishes an upper bound on this decision method: : 


Theorem 1.5 (Fischer and Ladner (163): Satisfiability in PDL can be decided in 
nondeterministic time c" for some constant c, where n is the length of the formula tested. 


Pratt (S3] has recently developed ‘a decision. procedure for PDL, based on the tableau — 
method, which, in many naturally. .arising. caret, ds more efficient than the one implicit 
_ in the toot of "Theorem 1S in C16). 


Theorem 1.6 (Fischer and Ladner C16]): There isa constant ol such that satsfiabitity in. 
PDL cannot be decided in deterministic time 7 
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This tower bound 1s proved. by showing how to simulate the competstion of an akernating . 
Turing machine with a PDL-wif. | 


The following resutsiare cencerhiadl with a-viriatthn’sf PEL in which programs sre 
allowed to festthe t¢uth of :certain formiline, teplying-edatimention if the test produces 
Sen ee ee , 

For the purpose ofthe ret ofthis oxcion we fet PDly stand for PDL. Now, for 


any izl define PDL ee to the definition of 
the set of programe R the cane - us 


(3) For any PDL, re, ‘PT ts in'R, | 
and to the definition Of the extension of'm %o R, the chinive we 
m(P1) = Cs] ser(PD- 
‘Thos, pre Tatateaph;O>e? Cy wary Dee FOL hay POU 
Lemma 17: For every PDL »-wite P ue Q, ‘Urn: — ts a vai Pg 


Proof: Stretptatoreard rom the dents. 7 a ) 


Theorem ehigeatsedcner lined : _— | 


Uf P then e alse 8 | 
while P dow | 
IF Poe fl Q-@ FI 
pore Mewes 


in which clause 2 above is taken tobe “ foresee 
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(3) For any pin AF, p? is in RK. 


Thus, we allow only testing of propositional letters from AF. Denote this variant of PDL 


Theorem 1.9 (Berman and Paterson [9]): There exints, a 2 PDgg wit P, such that there is 
no PDLy-wff Q such that &(P#Q) (where P#Q is to be viewed as a “PDLp ¢-wif). 


Theorem 1.10 (Berman (83): For any iz0, there exists a PDL,,,-wff P, such that there is 
no PDL,-wff Q such that F(P#Q) (where P&Q is to be viewed as a PDL,,.-Wff). 


Infovmally, these results mean that each “level of testing” supplies increasingly more 
expressive power, or in wasted words, — 

PDL < PDLo<, 5? oe and 

UE < POL,,1), 


the second, say, reading “for every i, PDL is jnatjihs aioraactaosabee than PDL,”. 


Theorem 1.3 (and similarly 1.10) is proved by a subtle argument-involving the construction | 
of two families of structures S, and S; for every j20, and the exhibition of a 


PDLp swf P which can “distinguish” between S, and S; fer Sait al Onercanthen:show — 
that corresponding to any PDLo-wff-Q there « onitte an — #Q)0 such that eQ. cannot 
distinguish between SQ) ane SQ) a 


Berman [8] has also shown tae" * PDIs: ie 


1.3 Axtomatization « of PDL. 


A problem left'open in £167 was: that of fing natura ong wx system for 
PDL. Consider the follawing axiom system X: 


Axioms: oc 
(1) An tautanigics of ptdesositiona calbaios;- 
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(2) Eal(P2Q) > (badP 2 baQ), 
(3) Corp, 

(4) taser © (expr, : 
(5S) EaugiP * apie 


Ps Pag 


(9) P 


df POL a, Se mneee eerrent ne ani oa 
ey — . imme 
and cathemgmente stam Ke 


Provabity in X-or Xl dtm nthe standard way? time (win by PD at ye 
there-exists.a Firvite sequence of PDL-wits such thet each ‘ts an: 


axioms or is obtained from: previous | : VOT, 
of this sevens: hart touen ‘conjochared:vy ‘x bor quiti'k ait toron-enengion, ‘but final 
confirmation of this fact came recently, tatiepeoitinty, tn Rata SAN3, shimeshatead 
Segerberg [61] and Gabbay C18). COTY be ey BS ce Be on deg 3! 


Theorem. 1.11-CParikts,, Pratt, Sugacterg nnd Cobleay);, Feneny, PRL anét Area 
PDL wit) P, WP at key PB Lontg PB). 


As an example:of a preofin X', serving in addition to familiarize the reader with 
the notions of PDL, we sketch the proof 6 thy walihiey at: the Satlening PDL, xwif: 
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C(<a>erue?;a)*Ip > [Ca*]p.. 


Abbreviating (<a>true?;a) to B and (A*Ip to Q, we state the main points in the proof 
omitting reference to (1) and (8). The reader is Mica to convince himself that each step 
can be rigorously justified in X'. ; 


im oe fj bh i 110 Oo) OO om GD AD be 
™ | POF CO? 8 8 8 hUKCOU HUH 


Q > (Q v false), 
[aIQ > CaKQ v false), 


Lalfalse > CaK(Q v false), . 
(Calfaise v CalQ) > Call false v. Q)- 


(<a>true > [aIQ) 2 CalQ,. 
C<a>true?7MalQ > 2, 
[81Q > falQ, 


Q 
. Ca*(Q > CalQ), 
. Q> Ca*JQ, 
- Q>p, 
. Ca*]Q 2 Ca*Jp, 
- Q>Ca*)p. 


‘une 1, (9), (2), 
: rh 


line S, (10), 


(A), line 6, ° 


lines 11,13. 


2. Regular First-order Dynamic Logic (DE). 


In this chapter we define a first order logic based. upon ideas from Pratt (52) 
further developed in [22]. The tagic, first Order dynamic logic, of “DA for short, is 
designed to reason about "real" réguiar programs; i.e. the equivatent of nondetermitistic 
flowcharts or recursion-free logp programs.” "Phe sbivbe' ie Witt the prdgrams are ‘real is 
in that they employ the conventional notions of changing thee value of -vartablés by 
assigning to them and testing the value of & , isin DL ‘are no‘ tonger 
combinations of atomic program syaiboli, ahi program-free formutne arene longer 
proposer 


After defining DL we elaborate on the kinds of facts expressible in it. Section 
2.3 contains some extensions of and festrictions upon the class of programs aflowed 1 DL, 
viewing all the resulting logics as variations of DL. Section 2.4 contains results” 
concerning the question of haw hard it is''decide the validity of certaitr kinds of 
formulae of DL, 


2.1 Definitions. 
Syntax: 


We are given a set of function symbols and a set of predicate symbols, each symbol 
with a fixed nonnegative arity, We assume the inclusion of the special binary predicate 
symbol “=" (equatity) in the latter set. We denote predicate symbets by p, q,.. and 
k-ary function symbels for k>0 by f, g,.. Zeroary function symbels are denoted by. 
2,X,Y,~ and are called variables. A term is some k~ary function symbol followed by a 
k-tuple of terms, where we restrict ourselves to terms. rewilting fram applying this 
formation rule finitely many times only. For.a variable x we abbreviate x() to x, thus 
f(g(x),y) isa term provided f and g are binary and unary respectively. An atomic formula 
is a k-ary predicate symbol followed by a k-tuple of terms, 
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We define by simultaneous induction the set. AC. of first-order regular programs. and 
the set of DL-wffs: 


(1) For any variable x and terme, xte is in RG, 
(2) For any program-free (see below) Di,-wff,P,. P? is in RC, 
. (3). For any.@.and @ in RG, (038), (auf). and a* are in RG, 
(4). Any atomic formula is a. DL-wff, .. 
(S) For any DL-wfts P. and Q,. a in, RC. and ‘variable x, 
=P, (PvQ), 3xP and <a>P are DL-wfts. 


A DL-wff which contains no occurrence of a program of RC. is called program free or simply 
__a first order formula. Programs of the form indica tn (y). and (a) are catled 


respectively (simple) assignments and (simple). tests, We use. Ay >, ®'and Cal for 
abbreviations as in the previous chapter, and in addition abbreviate =ax-P to WxP.. 


(Remark: As will be seen in. Section 23, the pasticular sings of programs : allowed in. 
DL-wffs can be. viewed as being a pararoeter,.. different lapses gise rise to.different_ 
variations. Even within the particular class of reguiar programs the set of tests can be 
allowed to vary; it can be the set of quantifier-free tests or, inductively, the set of 
question-marked DL-wffs.. Various. kinds. of agsignments 
facts here, even before completing the definition of DL, 20 ott thay the read 
associate any particular class of programs with the generic term meni logic.) © 


Semantics: 


The semantics of DL is based on the concept of a state. The difference however, 
is that we are now concerned. with specific atomic. Programs and specific atomic formulae. 


A state J consists of a non empty domain D and a mapping from the sets of fondiien. 
and predicate symbols to the sets of functions and predicates over D, such that to a k-ary 
function symbol f (resp. predicate symbol p) there corresponds a total k-ary function 
(resp, predicate) over D denoted by f 4: (resp. P3);. Jn, particular, to a variable there 
corresponds an element of the domain and to a. Ovary, predicate symbol (propositional 
letter) a-truth value. (true or false), The standard. equality. predicate ayer D is that 
corresponding to the equality. symbol (=)... We. wae metimes rater to the domain of Jia Dy. 
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Observe that the way states are defined no distinction is made between what are 
normally called variables and constants. These, however, will be defined below for simple 
universes. 


| We denote by I’ the coltection of all possible states “a call it the grand 

universe. Our semantics will assign to a program @ & bivary retation: me) over I", and 
to a formula P a subset of I" consisting of thuse states whiictt: satisfy P. In the sequel 
however, we will be interested in special aaedte ot F raoety watrerier 


A pseudo-universe U is a set of states ail of which have a common domain D. A 
function symbol f (resp. predicate symbol p) is cated uninterpreted in U if for every 
state J€U and for every function F (resp. predicate P) ever D there exists FEU such that J. 
and J differ at most in the vatue of f (resp. p} what i 9 is F (resp. P). 


Notation: For any function G: A > B, arbitrary element e, and a€A, we define [e /aJG to 
be the function with domain A and range Bufe} giving the same ‘walues at t poihts in A-{a} as 
GC, and such that G(a)ee. ‘Thus, the situation dunribdd shave Yor‘ ur 
simply J=CF / f1J. .* 


A symbot is called fixed in U if its value is the same in all states of U. Thus, 
"s" is fixed in any universe. A universe'is a padtido-eniverse tn Which every predicate 
symbol is fixed: and in which every function syn@of Is ether fixed or uiinterpreted. A 
universe is called simple if the only uninterpreted: symbols in it area designated set of 
variables, In a. simple universe the fixed: variables will sometimes. be cated constants — 
following ereinasy usage.. 


The value of a term e = f( el, jek) | in a state J is defined” inductively menor 
Tarski (641, by 


ey 7 Fel g,ek 4). 


We now define by simultaneous indiction the binary relation over I" corresponding to a 
program @ of RC, and those states J in T* which: sathefy a DL-wif P. The retation wilt be 
denoted by m(a) and for the fatter we write IPP. (F.9) betes uri element: ‘of me) canbe 
thought of as:representing the fact that’ there extsts 2 ont 
@ starting in state J and terminating in J. Thus, JHeJP will be seen to be making an 
assertion about ail terminating computations of @ starting in state J; namiely the 


28 


assertion that the final states of these computations satisfy P. Similarly, JRKa>P 
asserts the existence of a terminating computation oe iarting | in state J and ending in 
a State satisfying. P. . 


(1°) For any variable x and terme, 


“mnxee) = CI,9M Saleg /x00}, 


(2') for any. program-free DL-wif. P, : 
m(P?) = {(9,J)| JEP}, 


(3') For any a and 8 in RC, 
m(a;8) = m(a) + m(), 
m( au) = m(a) u m(8), 
m(a™*) = (m(a))*, | 
(see Section 1.1 for funhe speteaton) 


(4 ) For a an atomic formula plel-yek);, : 
Je pel, ek) | whenever Pp sta greek gt is true, 


(S') For any DL-wffs P and Q, @ in RC. and variable 3 ie 
_JeAP iff it is not the case that. JeP, 
JF(PVQ) iff either “JEP or ‘IkQ, 
JFIxP iff there exists an element ¢ in Dj m such that [d/x}J & P, 
 de<arP iff there exists a state § such that (J,9)¢m(a) and Pine 


Note that the only kinds of formulae whose truth in state J depends possibly upon states 
other than J are those containing subformulae of th form. a and <a>P. 


In most of this thesis we will primarily be interested in investigating the truth 
of DL-wffs in a given simple universe U. However, one can sée that for some J€U and some 
assignment xte the unique state § such that (J J )Em(xee), Le. the state Tey /x3J, 
might not be in U at all. We outlaw this phenomenon by adopting, from‘ now on, the 
convention that in the context of a given universe the only programs we consider are 
those in which the variables assigned to leg. x in xe) and the quantified variables 
(eg. x in IxP) are uninterpreted. Thus, for Jeu and’ for any DL-wit" id the trath of J 
in P can be seen to depend only on states in U. 
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We use iihievinions as in Chapter 1, and thus wil write Jag for (J,9 eens @),@ and 
for Ca], which stands for ~<@>>, we have again 


JtlaJP iff “V§(Jeg 2 #P). 


Given a universe U we say that a DL-wff P is ‘Unualid (Fy P) if for every J€U 
we have JEP. We say P is aalid (FP) if it is U-valid fog every universe U in which, in 
line with the above convention, the assigned and quantified variables of P are ‘uninterpreted. 


The following are examples of valid DL-wffs: 


C(xez A yeu)?;(xef(x) u yer(y)) (xz Vv yeu), 
xzy > [(xef(t(x)))*K(yerly)) *>xzy, 
xey 2 C(xef(x))*U p(x) > (xzy v orety) (yefly) Y*>py0)). 


The first asserts that at most ane of the components of U is executed. The second states 

that the process of repeatedly applying a function, campaned with igself is a special case 

of that of repeatedly applying it. The third as iy that the process of achieving a 
property of x by repeatedly applying f can ‘be siemulated jn y.. 


Denote by N the simple universe of pure arithmetic; ‘ ie. the domain D is the set 
of natural nurebers and +, ° and 0 are fixed with their standard interpretations. We 
freely use standard arithmetical abbreviations such 9s 2, ged etc. (Whenever, in the 
_context of the natural numbers, we use the symbol -, it 4s to ‘be understood to stand for 
the so called “monus” operation, Le. x-y Is the difference between x and y if x2y, and 0 
otherwise. Also, we abbreviate xx to true aad serie bo fated) _ 
The following are N “valid DL-wffs: 


<(xex-L)" x30, 
-y>0 v <y20? true 
C(x= x' A yey’ AX "y?0) 7K (xoty?; 
(x>y?sxex-y U “ney yey-n) * jxayPoxeged(x’ ¥?. 


The fast example asserts that the program inside the diamond, under the assumption that 
its two inputs are positive integers, terminates and computes ‘the ee of these inputs. 
This program can be written in more popular terms ass 
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while x#y do. 
if x>y then xex-y 
. else yey-x 
. end. 


We adopt the standard definition ofa fre occurrence of ‘a variable x in’ a first 
order formuta Qe to be, ah \ octiirrenice of x which is Hot ee rth ’ot the form 3xP. 


Lemma 2.1: For every “assignment xte, and first-order. formula a 
“we. heme facely * Ox) wih 


1m oa 3 


2.2 Descriptive Power. 


One of the virtues of logics auch as DL is the. fact, that they provide a ‘general 
framework in which it is possible to express a wide variety of concepts and. netions, for 
each of which one would otherwise have to invent a spectat notation. The advantages of 
this uniformity are by no means only notational; elementary results and 3 ‘are much. 

“more obscure and harder to come by when these concepts are developed under separate cover. 
‘This argument is implicit in Sections 33 and 6. 6.3 as well ay in (24). 


The examples in Section 2.1 cera sony ot He xpressit Fe 
first set of valid ones being t true for “unt r a” reasons an and, the others th s for reasons — 
stemming from properties of the specific universe in ot id, Bs ¢ cast that oe 
arithmetic. Indeed, when: ‘people reason informally sbout real programs, , they | gene atly 
have in mind a particular interpretation for the symbols appearing in the program. 
Consequently, we will be more interested in this thesis in provid 
“domain dependent” reasoning; eg. for proving the ate ity of 


universe U. 


"Although we wish to stress the ted that on con write complex DL-wffs (eg. 
alternations of boxes and diamonds of arbitrary length axe certainly permitted), we point 
to some particular elementary properties of programs and show how to express ae with 
relatively simple formutee, in DL given a universe ue 
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- Partial correctness of @ wrt P and Q (Hoare’s (273 P§a}Q): Fy (P>CaIQ), — 
- Existence of a Q-terminating path of a: Ry <e>Q, 
" Existence of a Q-terminating path of @ under the mation. Po _, Fy(P2<eQ), 
(This turns out,to be. the tatat arrwelness: Zo 


eterrnirtiatic.,. ane has been i ae. 2 ot by ce Terie: GRO 
Also see Section 2.34 snd Chapeer 5 of this thesis.) 


For any @€RC, define var(a) as a finite vector consisting, in some fixed standard 
.order, of all variables appearing to the left of the necignment symbol « in a. 


- ielibeink ak @ and : - OA i A <27"), where 
L=oar(@)=var(B), and Z' is a anal ler ei iar ia ed are 
distinct variables not in verte). 


~ Determtnacy of o (all terminating paths have 8 common final 3 sete): 
at MAC ote qzAT'Y [Zl P's 


2.3 Variations. sata eke aa ae Se 


Regufar programs of the kind vee ‘gave: eee 
_ contrary, the reader and ar 1 foreairt on toe 
(as poreraye say ink ‘freely wit 


first-order tests. In this section f levee 
this set of programs. “ol 


We are about to inttoduce various | logics ond gi tha names, ‘and we would like to be 
able to compare. thetr expressive power. If it ty the cade ttven, Ghat for two stich logics . 
A and B, the wffs of A are a subset of those of B, we will denote by A < B the assertion 
that there exists a B-wff P such ttat for no A-wif Q ts it the case that P#Q is a valid B-wff. 
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2.3.1 Array Assignment. 


An array-assignment is a basic program which can change the value of a function 
symbol at a specific point. This is done by writing f(z)+e where f, z. and e are 
respectively, a k-ary function symbol, a k-tuple of variables, and a. term. “We restrict 
ourselves for simplicity to the case where k=l, 


To obtain this new language, which we call array-DL, the following . 
clauses are added to the definitions of the syntax and semantics of DL respectively: 


(1a) For any unary function symbol fy variable x and term e, 
f(x)<e is in RG, . 


(1a') For any. unary function symbo} f, variable x and, term e, 
m(f(x)ee) = {(I,0F /£3)| Fsley /x 33). 


Note that although a program with array assignments can change the value of f at 
unboundedly many points (e.g. as might be the case with the program (xeg( x) ;flx)ey)™ ), 
it cannot in general change the “entire” value of f as ina second order assignment of the — 
form feg, which, although constituting another plausible varlation,. is not, allowed. here. 
We extend our convention of Section 2.1 to require that in the context of a. given. universe 
U we allow array assignments of the form f(x)+e only if f is uninterpreted in U. 


Open Problem: Is DL < array-DL? 


Answering this question in the affirmative would involve exhibiting an 
array-DL-wff P, and showing that for no DL-wff Q do we have F(P=Q). Certainly, the 
obvious fact that certain programs can be written easily and succinctly using array 
assignments will not be affected by an-answer to this question; it is strictly a question 
about the power of expression of a formal logic for reasoning, about these programs. 


2.3.2 Random Assignment. 


A random-assignment is a basic program which in a state J can change the value of 
a variable x nondeterministically to any element of the domain D ED Strictly speaking. 
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however, this type of assignment is appropriate (and of use) onty-when x ts 
uninterpreted, in which case every element of Dy is is indesd. a penile value of x. 


The folowing causes ae then added othe pipe pce he definite 
of DL to. obtain randoneDt: . 


(1b) For any variable x, xe? ism BC, 
(1b) For any variable x, m(xe?} = EDI b wag /x10). 


Thus, G8 when verted 1h; can tera my it Wh iy the vahe of x has 
been changed. 


Lemma 2.2: For any universe U, unthterpresed variipte x and Di-wit P, we have 
eCGaP © cue DPY ‘and goer eter} 


This obvious fact, which on the one rnasLbvarbernimeriiod puget raridom-DL 


expr sive | otis ne ae : Sor f 2h: 2 eae he: og berry tytn 


Open Problem: Is BL < Sasacgatinials f 


We do have the following. result, which refers. to dict wit -_ array and 
random assignments.” ae 


Theorem 2.3 (Meyer te): 


This result is giefetl ip Ghai Wine teks ine Red by OL nem ety: -assignment or 


random-assignment (but net beth) which a PE: <a Vy<porrar; 
where we define. 


or ates be Fata vassetted?™, ‘and 
Bs xez;(xef(x))*;€xzy)?; (xet(x} *; s(xez)? 


Kk) 


P is a formula of this doubly augmented DL, which is true in a state J iff the domain of J 
is finite, a makes possible assigning f(z), f( + z)). etc. to some random elements of the 
domain, and 6 makes sure that y is on the "f-cycle" starting from z. Finiteness, then, | 

is definable in DL with both array- and. .random-assignment. It can be shown however, and 
this is the content of the remainder of the proof of Theorem 23, that finiteness is not 
definable in either array-DL or in random-DL. _ 
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2.3.3 Rich Test. 


Rich-test-DL is the first-order: version of PDL defined in Section 1.2. It 


allows tests in programs to involve other programs, (which themselves. might involve such 
tests etc.). Thus a program a. might pause, asking § mething. like “ ‘can program B halt 
on input x if started right now?", and continue. without side effects iff the answer was 


yes". 


The definition of rich-test-DL is identical to that of DL pomee ‘that clause ( 2) 
in that definition is changed to read: 


(2) For any rich-test-DL-wff P, P? is in RC. 


So that, for example, a desired effect could be guaranteed "in advance” as in the f program 
a: ((C61P)?;8)*, for which PolaJP is valid. Here 8. Js not executed unless P is 
guaranteed to hold. upon completion. 


Open Problem: 1s DL < rich-test-DL? 


2.3.4 Deterministic Dynamic Logic (DDL). 


DDL is the deterministic version of DL; Le. the only programs allowed inside 
boxes and diamonds are deterministic ones. We do this by defining the set of DDL-wffs to 
- be simply the set of DL-wffs in which uv and * " Appear only. in Opnstructs : of the form 
dis 8) and aun P do a) aie. We call this restricted class of programs 
DRG, and clearly they correspond to the well known while programs, The semantics of DDL 
is the same as that of DL. 
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Lemma 2.4: For any universe U, state JeU and, progrem a€DRC, there is at most one state 
YU such that Jag. . 


Corollary 2.5: The following ae val for every @€DAC and DL-wits P and Qe 
fa) <eoP © (EaIP A Cederee), 
(b) <a(PAQ) = (<a>? A <adq). 


Proof: We prove (a). Ika>P iff 3$( Jag a JeP) iff (by the lemma) 3Z(Jaj nr. 
V3' (Jag > JP)) iff Bae hae tiie bead GPP) ter Pe cadirue A 
CalP). a 


Here the question of whether nondetermintan suit more expresive power Is most | 
interesting, and also unanewered! ‘es of now. Rader Wold hope supply 
insight into the proposal to employ fv rT a la a pra 


Open Problem: Is. DDL < DL? 


One can soo define DPDL. as PDL with sil rericons wpa ees ot of regular 
expressions over AP. There too we have: 


Open Problem: Is DPDL < PDL ? 
Note though, that the programs in DPDL can be nendemréninistic by virtue of the 


interpretation assigning a non-functional relation to an atbiiic prigrati. However, we can 
restrict the structures and ask the same question: — 


A binary relation r is said to be functional if for every « there is at most one b such 
that (a,6}é€r. . 


Open Problem: . Is it the case that for every PDL-wif P ine exits a DPDL-wft Q such that 
Fe(P2Q) far every structure ‘SECW a me) in witich m ( rakericees i ary is flintctonal. 


re’ Ta 
Pa os 


We now aetins He aio st tte rsemein E Seily a iat He * 

program will terminate satisfying the conditions” t te or 

Definition: A program a inDRE is tly crit with pect &oniverte U and 
DDL-wffs P and Q, if Fy (P><eQ). 
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- Note that Connliacy 2.5(a) substantiates the widely used fact that for deterministic 
programs, proving partial correctness and termination is ‘the same as proving total 
correctness (see for example Manna (39). 


Thus, DL is a tool powerful enough to express the concept of total correctness for 
deterministic programs. However, in Chapter 5 we will see that this notion is: mach more 
_ subtle when nondeterministic programs are allowed. 


Another interesting restriction on the: programs in DL is the. guarded commands 
language of. si agits £13]. We define this teneuoge in. Section. 55.. : 


2.3.5 R.e. Dynamic Logio. | 


As it turns out (see for example Section 24), many interesting properties of 
dynamic logic are invariant under drastic changes to the complexity of the programs 
involved. To provide a definite class which can be sneeett of asa plausible “ upper bound" 
on this complexity, we introduce r.e. programs. 


A regular program of RG can be thought of as a regular set of strings over the 
basic alphabet of assignments and tests. ft ts:easy to see‘that taking the meaning of 
these programs to be the union (over this set) of the binary relations obtained by 
composing the relations corresponding to the conipérients of each string in order, is 
consistent with our definition of the meaning of the regular expressions over this 
alphabet. R.e.-DL is obtained in a similar way by adopting as programs r.e. sets of 
strings over the above atphabet and defining there:meshing:simitarty.. One particular way 
in which to represent these programs is to supply a description of. the Turing machine 
which recognizes this rc. set, along with the (fivice) sets of assignments and tests 
involved. The semantics of 1.e.-DL-wffs is then obtained’ sees to that: of DL. 


Thus, these programs are so complex, that merely Aedes at each ‘scant in 
the execution "what to do next” might take the full power of Taring machines. 
Nevertheless, it turns out that this complexity does n not affect: frost of the — about 
the vey problem: in DL. ; 
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2.4 The Validity Problem for DL. 


In this section we state some results concerning the question of how hard it is to 
decide whether a given DL-wff is valid. Since a valid DL-wff is one which is true in 
every state of every universe, this ts not, so to apes, a “demain dependent” question 
but rather a question involving the behavior of coenplenely ‘programs. . 
Throughout this section, we will use the notation of Reigars £583 for indicating degrees of 
undecidability. . 


The first fact about DL is the well-known recuersive-enumerability of the set of valid 
first-order formulae: 


Lemma 2.6: The valid program-free DLL-wffs f a zt sisi ee 


ie Thee are precy he vali irae wth. ordinary op a | 


eee geet 


fmt 
Proof: Trivial, using Lemmas Lian 2 forgings f the nge-ree programs a 


Theorem 2.8 (Meyer ‘and. Pratt (220): The valid. DL-wfts. ef, the Sogn <aP, where P is 
first-order anti @ is: any: a: program frees Ff ghana 


In ether words akaching one diamond Levan wih the ment complicated program in 
it) to a flest-order formula, dees met mohe the-validity peablem-gay more difficuk, In. 
particular, one cam extend: this:retult to faameite af the.sapm:'P>6e2Q fer pragram-free P 
and Q, shawing that deciding: valiclity of total-enrrecien mpestions for. deterrnintstic oy 
Says eee ee ee 


Theorem. 2.9 (Meyer and Pratt £220): The vatid Dlecwlte af the foem LalP,, where P is 
progran face amd the set. af. programs Js.tahen tm be.se.inege:as.the am of 54. programms 
or as small as the singleton { x-y;(xef(x})* }, form a 2g compline set: 


Thus, attaching one box to a first-order formula gives rise to a very hard validity 
problem (as hard, in fact, as the totality problem fer Turing machines). (Similarly, one 
can extend: this to the class of valid partial correctness assertions.) However, if the 
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formula P to which Ce] is attached (the output specification. of the partial correctness 
assertion). is free of existenstial quantifiers, i.e. is a universal formula, the problem 
is easier: : . | 


Theorem 2.10 (Meyer and Pratt (221): The valid DL-wffs. of, the form {alP, where @ is 
as in Theorem 2.9 and Pisa universal first-order formula, form all 1 -complete- set. 


The hopes of keeping the validity proba for the whole of DL down to some place 
in the arithmetic hierarchy are shattered by the following theorem: 


Theorem 2. u (Meyer, (22) and (44): The valid DL-wits, ofeach of the following forms, 
form a It} -complete set, where the set of progrants involved: can, in each case, be - 


taken to be as large as the set of re. programs:or = —_ as tesingteton 
{ xey 5 (xet(x))* } 


(a) IxtelP f 2. Pha fiesteorder formuta, 

(b) Rdvlale Pa quantifier-free: first-order formula, 
(c) <B, BaP a Pa Laelgeg a fiptt-orsier forces: 
(3) Poe: — aoe Aden oS: 


Thus, the validity eH for DE ds creiialy hard, in fact as hard as deciding 
the validity of generat universal: second order fornidine of the form VEP, where P is 
a first-order formula of arithmetic. Tt gets that ‘way however , for quite simple formulae: 
with only one “alternation” of programs (here we like to view 3x as <x¢?>). The upper 
bound. of nt can be shown to hold for afl the variations we have cotisidered, in 
parce, the set of valid formulae of rich-test-random-arfay-DL. also form a 
nt i -complete set. 


These results then, elirninate any possibitity of obtaining (absolutely) complete 
axiomatizations of any interesting portions of DL. In the. next teeter we will see 
however, that the situation. is not so grim. 


We remark here that Meyer C44) has also been able to show that the set of valid 
formulae of Salwicki' 's (S9] algorithmic logic is also I -complete.. This ls contrary 
,to erroneous results in Krecamar (32). pee O35 


3. Arithmeticad Ratomittnntion. 


In: this: chapter we introduce the approach of sunpiying # syntactic: characterization 
of the Ut valid! BL wifi: for spe ' i : 
of arithmetic. This. charactertearion We: tHhe Siren Uh é'lbaint'eocaen’systien PF 'for DE ‘ 
which makes explicit use of variables that range over the naturat! numbers: For any such 


that then. P*ls: A*commpten,. i cha pet we ti any eid 
DL-wff.. This: property: we: tesrte exitinmetionl: sempbetemens....: 


As: will. become: evecient ity tite:sequedl,, tite natural numbers aréuséd!in first order 

formulae: to: “count” the number of tees-e is: executed in. a™. Witdeinbtiuse the extra - 
_ power ite whielt we: ieudelge: iv order! 2e:-inerositice “arishenatical ipeigerbents” ‘iefter the. 
programs, i.e: assignments: to variables which: mnge over the natural numbers,.as is done 
eg. by Owicki £471. ee ee lev fact, one's: programs might 
not invelve- imagers; ak ail aed: subtly th 

can be extended-to: arre-anttmetical: one, semaae 
ee Wan 


Anticipating, our. pect fe: negates ark aryetice 

and 7,, we state and: prove a.rather general th heorerr in Sogo ig are hich iss. Sia 
generalization: of the induction’ step which we:need for eur completeness theorem in Section: 
3.2. This step is common ‘to. the completeness theorenis for all the-legics we consider in 
this thesis, ard’ int fact we envistor it as:.takir gage of a major mart of the proofs of 
similar completeness resuits in the fusure. thon SL. ate: st 
an arithmeticat universe, rioting that any: ‘urilverse: cant: be esttended an_arittimetical: one. 4 
I toe. pried: tht. foro orihimetstal enbmerst tle ale, ta ebaep ry DL-wif,, “” 

first order formula equivatent to it over that pyttehe isan rae ik our axiom 
system P for DL and proofs of its arithimetital soundne , Section 3.3 
contains the restriction: DF" of F far deating wit 3: 
we remark on: the relationships holding be cir ipprontd 
completeness, and’ Mirkowska's: [417 intiay sxtomatizations. 


EA EEO RTE RES ee 
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3.1 The Theorem of Completeness and Arithmetical Universes. 


In this section we prove a general theorem which will be applied five times in the 
thesis for obtaining completeness results for arithmetical axiomatizations of various a 
logics of programs. It wil allow us to ‘deduce, for example, th jn 
completeness of an axiom system for DL given that that ‘system is complete for proving 
basic formutae involving at most one program. The theorem, however, will be stated in 
very alee terms. 


Denote the set of first-order formulae by L. Assume we are given a universe U, a 
set K, and a functional 


M: Kx2U 5 9. 


The M-extension of L, L(M), is defined to be the following pegueee which is L 
augmented with one Formation-rule: 


() Any atomic formula is in L(M), 
(2) For any k€K, variable x and L(M)- -wits P and Q, 
—P, (PvQ), xP and fe he are uf M) -wifs, 


The semantics of L(M) are defined such that geMDP ‘holdé whenever 
JEeM(k,{J| JFP}); all the other clauses receive their standard meanings. 


Some intuition might be gained at thts point by noticing that if K is taken to be» 
the class of programs: RG and (mM, )P is epee ery: ‘then LEM) is-in fact 
regular first order dynamic logic, ‘Me DL. 


We now ‘Sefine some important ‘concepts to be weed in the eer 


We say that L is U-expressive for L(M) if for every LK M)-wff P there exists.an L-wff Q- 
such that Fy P=Q. 


An axiom system P(M) for L(M) is any set of axioms (or axiom schemas) and inference rules 
over L(M).. Provability of an L(M)-wff P in-P(M)-is defined-in the standard way and is - 
denoted by F py; .4) P. P(M? is said to be U-sound'if alt the axioms are'U-valid and all 
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the rules of inference preserve U-validity. Note then, that i€ PCM) is U-sound, then 
whenever Fem holds, yf ¢ goes too. . 


P(M) is said to be propositionally complete if all  instennces of | tay ok ci 7 
calculus are theorems of P(M) ese we im the set of inf ric robes. ‘teas, i. 
said to be U-complete if for every LEM) wet € By fetes, ems we have pe) R. : 


Theorem 3. (Fheorers of Completeness): For any wnivere U and M-extension LM) of L a 
U-sound axiom. system PUM) for LEM ts U-compige whenever : 


(1} PCM) is proposisionaity complete, 
(2) L is U-expressive for L(M), 


(3) For any k€K and L(M)-wffs R and Q, “ si, 
if F oc yy (RQ) then tPumy CCM, DR > guaadt and 


(4) For any k€K and L-wffs R kan Qs, 
if yA DO) then tpeanttati 0), and 


Proof: We have to prove that if P is an L(M}-wff suc thet byP, then Fac) 
By the prepositional compiaeness of PUM), we cpp: agseme that? ie given .in. conjunctive 
norma? form, and. we procent: by inducion. gr the sumef the yumber:of appencances. of Mand 
the number of quantifiers in P. Assume the theorem: hokis for any formula. with o-1 or. less. 
appearances of M and quantifiers. IP te of the form PLAPS then we have Pl and 
,, P2, both of which: have to-be praved in. P&M), 20 that.we.cam pestrict: yr. atzention to 
sleaacec ag alanine, en en 


PavEM,)P2, Piv-(M,)P2, PivExP2 or Piv-dxP?2, 


where Ke an Pi an 2 enc hae Lar ew pera Mand cuanaters bet ws. 
use:p to denote (My), ~My), dx ee ~3x, sncbeding to whicle ieithe-case. 7 
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L is expressive for.L(M), and so-for any. LUM)-wer. Q there. is some. L-wff Q 


which is equivatent to Q.. We have then Ki AoP hy: 2. origi How, using —— (4) 
(since Pay and PQ, are Ln) we also have: 


-(*) 2 ‘pum CPi, 2 ora 


| Now surely, by the definition of Pl, and Pa, w we have Fy (PL > > -PI,) and 
Fy (P2) 3 'P2). Both these tate foreuitad have fess than appearances of M and 
quantifiers, and hence by the inductive hypothesis 


pean watts cle 


By assumption (3) or the first. clause in nth t epending on whether 
of Mora quantifier) together with the propenniona complemen, we obtain from the latter 


ee 1) (oP, > oPaD. 


nr «tanto 


Fem Chi coe and (°°) gt i 


Our peat t in the next section is to apply this theorerr to shes viewed as an 

_ Méextenston of L as ‘indicated above: ‘In, .prder ‘te do | thig, we fine a set of universes, | 
the arithmetical universes, each of which satisfies requiremei mh og thie Theorem. This” 

‘fact is proved below in Theorem 3.2, 


“An atithonetical ‘universe A’is a universe th which eh domain: includes the set of natural 
numbers, the binary function syribots * and T ‘are fixed: and giver ‘their taridard THe: 
(addition and miuttipteation respectivily) whiny apiptied tothe natiirat deniers ih the: 
domain, and Q:and-1 are.téted: reroary-order Bunction apmbols interpiteted!: as thie natural © 
numbers “zero” and "one" respectively. Furthermore theresis.aSixed unary predicate = «s_ 
symbol nat with the interpretation, "nat ha) is true iff d is a natural number”, that. is, 
for every state J {d€D yl nat z9)} is the set of natural numbers. Thus,.we are able to 
distinguish the natural numbers in the domath from the other elements and we do. not care, 

‘say, what the value of x+y is in state J when it ts not the case that nat 4x3) holds. 
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An additional property we require of an arithmetical untverse ts the abiitty:to encode 
‘finite sequences of elements dnto one element. bacshianeaeaimaut aiinetiaan ated is 


a3 follows: 


There exists a total predicate R(x.iy) © ever ee ‘demain of A, 
such that for any natural number a tnthe case-that we have 
(Vixqnty Ty VRC nae a > (RA x,y) ® leas 


The intultlon Je thet B(x,ty) holds MT “emanate 
sequence X;—X,, can be encoded as such a y. : : 


Note that one ssarsicslas arithmetical paiverse is,the universe 'N of “pure - 
arithmetic" 3 that is, the universe in which tive demain is giréciailly the set of natural 
numbers, and *, T., 0, = and naz (which in thin case de identically true), are the only 
funclion ‘and redicaie suebek. sal decmediga drake a cagian 
(62]) serves as the fine sequence sncading. function. ; 


i onial's lu es cc Us ea arithmetical 
universe A,, by augmenting tt, if necessary, with the. +Ort 
apparatus for encoding finite sequences. That, refoing se eng ied of program, 
written over any domain; oe 


universe. 


__ Tate Ate be ay 


LC M) | is simply DL 


2 We reach hae htm fa ng Tae. ge ny th . 
functionals M.{such.as <a>) for which mp. are inte A tone of. the states... 
satisfying P. Cammequentty,, wecoutd. eave defined Mh kall> ve and them: trim, dP “we 
St Her. a MAP: teen ortnre seas et ee i rl . 
i teen ere = | 
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Theorem 3.2: L is A-expressive for DL. 


Proof: We have to show that for every DL-wif P there exists an L-wff P, such that 
F,(P=P,). We proceed by induction on P. The,cases,where.P.isan atamic formula, or of 
one of the forms -Q, QvR:-er 3xQ- are straightforward, ‘Assume P. is of the form 
<a>Q for RC and assume Q, is the L-wif whichis. A-equivatent. 0, Qs: Denote var(a) by Z, 
and by 7Z' denote a vector of the same length as Z whose components are distinct variables 
not in var(a). By convention we can denote by x' the element. 9f,Z' corresponding to an 
element x of Z. We show, by induction on the structure of a, ‘that there exists an ‘L-wet 
F alZ, 7 ys such that for any DL-wff Q we have . 


Seat 
NAB S 


where (Q)%) is the obvious generalization of stot ae) oe ‘of variables. 
Thus in a sense, we find a formula Fy, which. is true of Z and Z' Aff @ can. “change” the 
value.of Z.te that of oe . 


1 Bor. an. assignment, take. F xe! to ba x're,, Surely. aee2Quis A-equivaent to. or 
cxeeQ, which is A -equivalent to (Q)x , of in fact to Ax'(x's te A (Qe ), 


For the case where a is of the form Buf’, take F/; (b8', to be: “a vw Fp). 


Similarly, when a. is §;6', epg). is taken:to. be. RACE DAEQ y. de... 


Here Z" is a "fresh" vector tke. es Lasiaaie ges errand Meni: that, (*) holds 
for both these pases, ee ea a gee Bek art, 


Assume ate be.of the form 8%, By icaadard acai sung the. encoding. of 
finite sequences into-single elements of the. domain, we car cansiruct an. “iteration” - 
formula ITRg with a-free, variable, such: that-we, have AT. Bgl 0. RATER) ; where Z2Z) .. 
_ abbreviates the:con junction of tte equality of: the cerresponding:cemponents of: Z and Z; 
ITRg(1)- 3 Fas and for any natural number nal we have (slightly. abusing. strict notation)? 


ITRg(n) = (321). (3Zn-1)( (Fgh A (Fg GR 0 (RPE 0 — adil 
It is then easy to see that for any n, <a™>Q is A-equivalent.to.{ IEAITR a ( B) A (Q)3)), 


and hence that F gx can be taken to be (3n)(nat(n) A ITRgliv)); and that: 
then (*) will hold. | re 
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Thus by inspecting the assumptions of Theorem 3.1 in thas tonitent we arrive at the 
conclusion that if we can find an A-sound axiom system P fer DL, such that 
ae Pog ee gee Ne iyie HUE yp sees pb daetl wendy ot 


(x) P is proposttionaitly compte, 9 oe 
€b) cede Aa tw tnt, 
bhi Ta 4 


<a>k > <aQ, 


and (4) we can prove competes of P ft feta the spe frm R><a>Q 
| and RoC) wih fet onder B and Q, a | 


then indeed by Theoret 1 we have anv ‘A-sébtid aiid: A -toinpten 
axiom system which, for every arithmetical universe A when augmipnted ‘with aft A-viatidl 
Oe In the next 


csi wake auch Dace wligsoces oaks ik DL. 
In the seqtet A stamuds:for ten armianieiat wnevenie, aelk L -Yor the see of first-order 
formutae. When tating about arithmetical universes we will often want Ouse NH, Th,.t0 stand 
for variables. ranging only over the natural nembers, We do this by adopting the 
follow ithy conveWeheeti! aity Ln ter wnle wad On wide We frank eneplacinty shanttoned say, 


-. the variable iva teh variant, ee cast, « ice duie 


fy ae 


(P¢ w)dQ) isterae: t: sy tno te water panelepe. alletaanabenteiiy ‘a scuaraalons 
ViPin} stands for’ ‘Vert marta ioeh wih; wnt ea eng Soden) ERD 


Consider‘ the following axiom synem PP for DL: 1) 
Axioms: 

¢a) ib nan prohats Sonar amiorened 

(B) All: Aeeveded L-toffs,. 3 

(Cc) CxeelP = PS, for an L-wt Pi 
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(D) [Q?IP = (Q>P). 
(E) {a;6IP = CaN pIP. 
(F) CaufIP .= (CaP ~ (61P). 


Inference rules: 


(GC) Pp, pag 
Q 
tHE ©. 25g 
LalP > CalQ 
(1) PotalP 
Pota*IP 


(J) P( n+l) > <a>P(n) As . | 
eee Sere S for an L-wff P with free:n, st. nf carta: 
P(n) > <a*>P(0) ' 


Rules (1) and (J) are called the rules of invartance and oe respectively. 


A DL-wff P is said to be suaile in P, written a kp P, if there exists a finite sequence 


S of DL-wffs the last one being P and such that: each formals in S is an‘ axiom (or 
instance of an axiom scheme) or is obtained: from irs formule ¢ of s ide one of the 
rules of inference. 


We first establish the soundness of the inference rules which appear in P: 


Lemma 3.3: For any universe U, DL-wffs R-and Q, and a@€RC, 
if Fy ‘2 then Fy (tom > Ta}Q). 


Proof: Assume F,, R2Q, and JtEeIR for some Jet: “This for every J€U such that dag we 
have ee Surely then, from JFR3OQ we have gPQ. ‘Thus, Mal. oa 
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Lemma 3.4: For any universe U, DL-wff P and @€RC, if b,(P>talP) 
then k, (P>fa*IP). 


Proof: Assume F)(P>LeIP) and JP for some JEU. We have to show Jkfa"JP for all 
nm We proceed by induction on n. For n=0 Seta"IP if PMttruc?IP if JP(true > P) if 
J®P which is assurned. Assume JéalIP. By by(P2GaJP) we can obtain : 
bj(La"IP > Ca"KeIP), and then conchute Jea"KelP or Jeta"*!yp, a 


Lemma 3.5: For any L-wff P(n) and a@€RC, where nf vera), 
if P(P(nel) > <e>P(n)) then & (Pn) 2 <a*>P(0)). 


Proof: Assume k,(P(n+1) > <a>P(n)) and JeP{n), We show Jh<a®>P(0) or 
JFin<a™>P(0) by induction on n J: Forn yz? we have. J® (true A P(0)) or 


Je<true?>P(0) which is Fe<a">P(0). Assume-that SkCa*>P(0) hok’s whenever 
JFP(m) and mg # fiz-k. By BA(P( n+l) > CarP(n)) we conctude 39( Jaj a 
JrP(n)) and fig = 3-1. But then slik from which we have FhGa><eax*>P(0) 
or Jk<a*>P(6}.  ] 


We remark here that the rule of invariance (1) can be replaced by the induction 
axiom scheme 
[a*KPolalP) > (P>te"P}, 


which is derivable from P, and from which, in P, rule (1) can be derived. 
Theorem 3.6 ( A-soundness of P): For any DL-wff P, if bp P then &,P. 
Proof: Fottews from Lemmas 1.1, 1.1, 2.1, 33, 34 and 35, G : 


We now apply the general Theorem of Completeness of the previous section to obtain 
an arithmetical completeness result for P. However, in order to apply that theorem we 
have to prove that P is A-complete for formulae of the forms R>te]Q and R><a>Q with 
program-free R and Q. Tiese two resutts, Box~ ees (Theorem 3.9) and 
Diamond -completeness (Theorem 3.11) are.obtained analogously, They are both proved by 
induction on the structure of a. The difficulty ts when @ is of the form 6%, in which 
case we show that when, say, R>[A*IQ is A-vatid, then there is a way of proving that fact 
in P. This is done by exhibiting derived rutes (I') and (J') below to cover these cases, 
and proving that they can be applied. . 
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Lemma 3.7: The following are derived rules of P: 
<a>P > <aoQ 


(') RP , P>faIP , P>Q 


R2Le*IQ 


(J) R>3nP(n) , Pent) > <a>P(n) ’ eda 
— P and n as 


"RaceQ ee ee in rule (J). 


- Proof: (H'): From tp (P>Q) we obtain, ading (A) “and (6); kp (-Q 2.>P). | 
Apply (H) toget bp (f41-Q >takP), then (Ab ane-(C) te obtain “kp (<a>P > <a>Q). 


(I): From kp (P=talP) we have by (1) F, (P2te* IP), and then using 
bp(R>P) and (A}and-{6), we obtiin Kp aa ry ). “From Fy P3Q - and (H) we have 
bp (Ca*IP > Ca*IQ) anid thus again with (AY and ), Fp thateriQ). os. 


(J'): Like (I) but using the fact that from’ bp esis and Fp, (Hn) a0) 
we can deduce Fry. (R>¢a*)Q) © using (B); tay ‘and’ ().- co a 


An L-wff P which A-validates the premises of (I) is called an invariant of @ with 
respect to R and Q. The concept of invariance hag been. studied quite extensively in the 
literature on program vefification, see for ‘example-£293..An L-wif-P(n) which oe 
the premises of (J') we term:a convergent of ¢f-with reapect 40 2: and Q. This concept . 
does not seem to have received adequate treatment. 


We now show that it a sive) pesmele te find an: tevertenn et ¢ eet Sand: 
under the assumption that the conclusion of rute: {I} ts A-vatid. 


Lemma 3.8 (Invariance Lemma): Fer every atRO-and DL-wffe Rand Q, if &(Rata*IQ) 
then there exists an‘ L-wff P such that’ b(R>P),° b (PatedP): and '&,(P>Q). 
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Proof: By Theorem 3.2 there is an L-wff P which is A-equivatent to La*1Q 
(i.e. F , (P=Le*IQ) ). Certainly by ‘F {R>fe*IQ) we have & a(RoP). 
Similarly, it is easy to see that F,(P>Q) and F afPotelP). a a 


Theorem 3.9 (Box-completeness Theorem): For every eERG and L-wits R and Q, 
if &,(R2fe]Q) then tp (R>%83Q). 


Proof: We proceed by induction on the structure of-a. Assume the assertion of the 
theorem to hold for any B which is “smaiier” ee en ee ee ere er and | 
assume F ,(R>0a3Q). 


For @ an assignment or a test, (C) and (D) reduce the problem to that of “proving” 
an A-valid L-wff,:which is simply an axiom. 


If a stb Saca Seales i de kA ace) ste ania OAT to 


a proof of RalBuPsQ. « iach of these, being: A nelle we ape: ten-tagtactive typetivesta fpr 
both. 


ia is; 8’ then we prove RaLAKS'IQ in Pe. the followieg way and. then. use (E) 
to obtain the desired: tp {R208 ;8°9Q): by (Rot )) and hence. 
& ,(R>C6IP), where P a an L-wff which is equivatent wish (and exists by Theorem 3.2). 
However; R2E6JP being A-valid, we appiy.the inductive hypotheris.to ebtain +, (R>063P). 
Similarly we can show tp (P>E89Q), and then tp» {EAIP >EEFIQ), from which, 
using (A) and (GC), we get Fp (R2TBNLHQ). 


For the case when «1s, we sianply woe Lemma 33 -whiehe guarantees she existence 
of an L-wff P which renders the premises of the derived: rute-(J') A-vatid. By the 


inductive twypothesis these can be re and then ene —. of. w) yiekis the 
final result. fl 


Similarly, under the assumption that the conclusion ef {J'): is .A- -valid, we can. 
always find a convergent of @ wrt R and 


Lemma 3.10 (Convergence Lemma): For every ee DL-wife. Rend -Q, if B,C R><a*>Q) 
then there exists.an L-wif P(n) with nf ver(a), such thet #, (Ra3nP{a)), 
F,(P(n+1) > <a>P(n)), and &,(P(0)>Q). 


~ 


ete st Pe oh Bila ati 
1 NO Fie gga fi 
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Proof: By the proof of Theorem 3.2 one can construct an L-wff P(n) such that for every 
state J€A ‘and natural number i, if n zt then <al>Q tt is ‘equivalent. in.J ta P(n), This 


~ we can write (slightly abusing notation) as F, aly Wn) (nat(n) > ( <a™Q = P(n))). Certainly 


by ,(R2<a*>Q) we deduce PAIR ane sist; tt is easy: ‘to see that the other 
A-validities hold too. | he ie - eg 


Te ‘ me . 


Theorem 3.11 (Diamond -completeness Tooter: For every atic and Ltrs R and a 
afk aleeerey ‘then: hs 4 REGO): : 


Proof: The proof follows that of Theorem 39, “using the derived duals of (e)-( F), and 
using Lemma 3.10 instead of 38. 


We can now conclude that, for’ F Di-wth, Kevatidity and'provabitity. in P are 
Sen concepts: 


Theorem 3.12 ( Arithmeticat Soundness and Compares = Due For any Di-wit Py 
.. A P iff tpP. 


pia One direction is 2 Theeteni 36, andthe wehie'h folios. froin Theureme a, 32, 39 a 


and 3.11, together with the fact that (A), (8), os and. “ are = part's “ as , -* 


Ly are aes 


Theorem 3.12 is significant in that it shows that a very simple ‘id pia axiom” 
system is sufficient for carrying out the ( A-vatidity ~preservirig) translation of DL-wffs 
to formulae of arithmetic, in a structured manner. As we point out in Section 3.4.1, 
viewing the process of proving properties of programs as ‘supplying a proof of a formula in 
an axiom system which takes all the validities of the underlying first-order language as 
axioms, is due to Cook [12]. This observation then, gives rise to viewing such ‘axiom © 
systems as mechanisms for carrying out this transtation. 


Appendix B contains a proof in P, of the A-validity 0 of a nontrivial DL-wff which 
asserts the total correctness of an iterative version of McCarthy's bo) 91-function program. 


We remark that P is also an arutorical highest Si rith-test-DL (see 
Section 2.3.3). Also, random-DL (2.3.2) is completely axiomatized by adding 
the axiom [x¢7]P ® ¥xP to P, under the condition that ina - 
universe A, the only x's we allow in random assignment statements of the form x¢?, are 
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uninterpreted ones, Pratt [523 has — out the axiom m to be added to did in order to 
comnieety axtomatize array Dt (2323. a 


“Ws alae: ond heée thal one nee ied: “eshseh taimolene® vepeeach:tecgraving our 
completeness theorem. This can be sean in our taking Pin the proof of Lemma 3.8 (resp. . 
P(n) in: the proof of Lemma 310), to be A-equivaient to fa®XQ (resp, <a”">Q). A different . 
proof ef Lemma, 28. (out not of 3.20): excises, om ' 
approach. This proof invelves caking Pte. Aeqpbualon v0 ha}, where ma”) is 
defined as {(3,9)| (J,J}emteh) Se ee en oe 
context in Section 63. bP Pires ke 


3.3 A. Derived. Axiomatination of BDL. 


In this section we apply an akhetly compl alam sytem DP for DDL (see 
Section 2.3.4) and compare it tothe: systems .of Hoare (27) and. Wang [69]. DP is. basically.a 
“special case” of Pim the nee that le axioms amd las ave identical to, or are 
straightforwardty derived from, those of P. Mevanthels, one pak in carrying out the 
aynthesis of DP from P is precisely to exhibit the: way. in | special pave systems 
muchas Woares Cn. dernt: ome: aces game A . 


Consider the fotowing axiom synem DP fr DDL 


| w, (1), (C) and (EL ain P, = < 
(OP) ys then o ee AIQ.* ((SrlaIQ) a LS IAI). 
Inference Rules: Mak aoa peas Gott yt eo 


() (RaS) 2 Cele 


PS Eadie S doaKPaS 


BR Ver ns RR RE ees 
ON TS SRA RE 
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(") P(nel) > (SaceP(n)).,.PO)AS = og | 
= 2.Gag >P(n)), PCO) 2» fa P and nas in rule (J), 


P(n) > <while S do a>P(0) ; . 


Provabiity in. DP. is defined as usual. pe 

Lemma 3.13: For any @ and 6 in RC, DL-wft 9 and test S?, the following are valid: 
(1) Cif S then or else BIO ((S5feQ) a (-S > £61Q)), 

(2) Cwhtte s dealQ * = C(S?ja)*KSyQ)._ at ean, Sys Pie 

Proof: Trivial from the definitions of the deter " visti ‘ onstiucts in Section 234'and 

Lemmas 1.1 and 1.1. ro fe pe ee Fa 


Wer now ‘stow the soundness of rules iy and ny me teeing) 


Lemma 3.14: For any universe U, ne P, aehe: ke ane: ar tera Stay 
then Fyj(PaCwaile S do al(PA-S)). 


2 PAM gh P 


Proof: We have By(PotsatelP)) ‘oF ir 5 fPStRROP 


Fy(P>U(S?;@)*IP) and hence also Rai eis 
F(PU(S7;a)* SPA). 


ae Sipns))) which | is: simply ve 


Lemma 3.15: For any L-wff P(n), test S? cae @cRC, where nf wart Sta), if 
FAC PC n+l) > » (SaserP(n))), and. bALROASh term KES) 7 Kale do a>P(0)). 


Proof: By assumption » we: e-haye. eg GP(ned) : 2 £37922 (n)) nando by. Lemma as also... 
F(P(n) > C(S?;a)*2P60)).. By. the second-seaungtion we-dedepe.that, inter hg fPO 
>  e(S?5 3) ®>(5S5 A PCO)))> or a saan eld ies ist Boe 
| Theorem 3:16 ( Arithmetical Soundness and nd Completeness for DDL): Foe 8 any DDL-wtt P, 
Proof: Soundness follows from 5 Theses 46 ‘na ethane 313 ,: au and 31s. 
Completeness faltows -preciselyoin thie fdotseeps. capes malicaaneonance matin ee 
3.12, using-the Fetboin teedenivet oleae» ane gmetgeta boar 


SR ST Se ec aes peat gE nc eben end one, AB Mist TY be Te RR 
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a") PoP, (PAS)AtelP , (Pa-8)3Q 


R > CwhiteS dead 


( ”) Ro3nP(n)} , P(net} > (SACHDPE i, . as 


Ra totes eed - ae ve 


We remark that (1") is: precisety Hoare's CTE inference role for proving the 
partial correctness of while programs. He writes Pla}Q for EC P=fe)Q)... Also, (J") is 
precisely one of Wang's (693 ivference rates (rut: T1 of C8) flor prowery. the soca! e 
correctness: of white programs. le fact, DP witheot ruta: (8) and J") represents a simpte 
rephrasing of Hoare’ (273 original: system, .Wer nove, toepe thrat we: Rave: shown: bath. these 
resto be derived i a enap way fame che ene: gamera' Pe wt erate for a are 
Coat, ORCS NE aod quien: emmy te: compesteoned. 


We refer the interested: reader to tive sorvey: CZEX tiv tofiial: toe present more 


observations: concerning: other antany. span: gad great outheds for — about reguisr 
deterministic: programe, whitch appear Iv. he Het 


3.4 Related Work. 


thse ou cto Ss i Wain cd sahil, iw: 
inspired: by, Cook's C127 otior of relative: completeness:. bv Sectten: ZA! we take up 
the tusk of compuriiig the two 4 fresi. Setetark BET i weveheet tt the: desertption of 
the appresth ‘achopted By: Miteteorek a BORE tev Her went ert he ofighbehiinte’ Pogit oF Salwicks 
C59. She uites infinitary sterner’ ee re 
cleared weitere sasiesegeat pt 


3.4.1 Relative ve. | Awithmetioal Completeness. 


Wb ech aa tases caer eecileaic oaca Hoare BS :teanctoced am: adem system for 
the partial correctness. of programs, one witi@i:itbesioaliye a: sulespeten:of BP): For tive 
sake of ttris. discussion we can in fact think of tte corresponding: subsystem: of P 
consisting of (Ai, (€)-(G) and rute (1) as: Heare’s. system: and’ denote it by H. Cook £12] 


Sl 


investigated the question of completeness of Hoare's system and managed to formalize what 
seems to be the intuitive Way in which people provd'éa wrécthais { partial'in this case) of — 
prograrhs in line with the method ‘sugge di By Fie ETT ahd Naor (46). ‘Codk separated — 
the reasoning about the. program ‘from he abcait the’ ‘anidertying language, making a 
_ distinction between ‘proving, ‘say, Cxedxet and provin . (x50 580). 1 
requires some program-oriented fatiputition In ‘Order to-turti'tt’intd'a first-order 
formula, Whereas the ‘second Hood not. Thiig; ‘Cobk’'y Meh’ Was to ‘supply Heart's system with 
a generous oracle Which: had the ability to ahewer questions cdntetiing the truth: al First ne 
order formuiae.: Int this way he'was able to'shift- concentration to Hoare’srutes 
themsetves' which were to: serve’ asa too! for perferming a step-by-step pabceniuiae of 
partial correctness assertions (of the form. P>La}Q) into equivalent: first-order formulae. - 
The truth of the latter is then praches using the a 


We now formally. define: Cook's £12] motion atigetetiye enreptinonene using the. 
terminolegy we have develaped.. “Assume-given:a language: L’ which: includes: al. first-order. 7 
formulae as.wffs; thus L-is.part of:l'.:Asume-AK-ty asound soione system for.L' and 
denote by AX1, the system AX u 4B): PéL.and'h), Ph. In-other words, A¥jj i6-AX 
augmented with ail the U-valid first-order formulae as fulther axioms. “AX°ts: aianrks 
complete for L' vetatine:to 1. if for every universe U tech that:l oA jconpemnive ag Ly 
AX yy is: ‘-commplese for:L lewery Uthat premiet Aabee : Le 


Theorem 3. 7 eeu ca) H is compte fer (nataial R-and @ are. Leta relative to ah 
The proof is in fact identical to that of cur Bon-complenes T Theorem n (Thm, 29). 


Now, if we restrict ourselves to languages LU such thee for any arithmvetical 
universe A, L:is A~expressive for L', we noteithat axithrtetical completeness is a special 
case of-relative completeness ; we de not require:that :AX 1, ibe U complete for. ali. 
universes:'U which make L U-expressive for:L';botonty that that be the:case for any = 
arithmetical ‘univetse. Consequently ‘then; in AX teelf week usecsymbols:iniways which - 
take thelr standard: interpretation for granted: “Thil' ty thé favor oF the usageiof:n, + 
and 0 in the Rule of Convergence (rule (J) of P). 


The flurry of “positive” research which: followed: Goek's: observation, oe was 
aimed at providing: similar results: for various. ertensiqns.and: variations of. the. os 
programming language.(eg. £193, £24} and £473) tad intevitably:to 2: spcuavirvetfoet ef aes 
“negative” research aimed at proving incompleteness resutts which indicate when Hoare-like 


Paes SPE ee Tae RE eR gree ge 
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systems are doomed ta be incomplete even. in the relative s sense of Gook., The first notable 
result .in this direction is that of Wand (671, whe shows, c 4 ptially that it is not the case 
that L is U-expressive for every. universe U. Thus Wand shows that there exist universes U . 
such that AX, is not U-complete for bay ‘Hose seinen ES soe to have proved — 
the following: very. interesting characterization. of these (Reed. . 
U-expressive for hy, Uf Ui, ian alee wateane or a.unkeeme with a.  Firlte domain 
(call the tamer a: finite unixerse). Pha the : 
which a Hoare-like system:can be. retasively.complue ace the-arithynetical ones can the 

finite- ones, So. Gook's UL22. requirement ast seapenerenaein oer arenes: for 
these. two: kinds of universes, 


The finite universes, however, cause trouble: Clarke [10] has shown that 
introducing: (into the programming: language in whith: tie programe of lay are written) 
Various programming concepte-suth.as-procedures' ss -parameters-or ceroutines, in. the 
Presence-of recursion and ether reasonable mechanisme, prevents; the possibility of 
obtaining relatively. complete axtem: systema. Thecnegtinitigt a-E40)}:i2 based! on the fact: 
that tle: first-order language L is tl-expressive far lgp fer-apy finite universe U. The 
languages have an undecidable halting: probitnr daeb:finitt! darmeids,iand hence the set of. 
diverging programs is not re., a fact which would contradict the existence of any 
relatively: complete Hoare-tike aston. sylteds-for wichein temquage:( the existence of one 
implying that, in particular, the set of valid formule-of the form true>ta else is re.). 
Hence, the. essense ‘of Ctarkete: ressstes: ften:in the fact:thae Onek's condition: of expressiveness 

of L és satisfied by universes with finite domains. 


The: research of Lipton. and: Snytin E360-aee biptoin E963-caleniannes-in a. 
generalization and extension of Clarke's ‘results, with: atheorem (Fheerem i in: £25) which: 
seems ta tie up as equivalent the-two propenties of:a peagramming Innguege:: 61) ‘having: a 
decidable: haking: problem-over Sinite-universts, and:.42).tee-at-of formulae: PaladQ. ever: 
it being 1.0: in:the set of alk U-valid sli for ee for: i 
Ly. 


_ We-conctude- that. relaxing the requirement :and-requising. that. AXy be. U-complete 


iy for alt arithmetical universes (i.e: playing: our anithmetient-conplestness. game) 
oe #: oe bp 
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In addition, it seems that in order for axtomatizations of of much richer logics | 
like, say, DL. (and the logics appearing in the sequel, CFDL, ‘ADE, Dt* and: CFDL*) to be 
relatively complete (i.e that they work. for finite universes too), the rules that involve = 
arithmetic (ie rule (J)) would have to be modified to deal with the finite-domain case, 
and would probably resutt.in a system which. ‘is far test | n 7, and elegant, ; 


We are of the opinign, ‘therefore, that the! aks 90 domains crept i 

(1) the concept treated most extensively by. sin the area was p 

correctness (CaJP essentially), and (2) » cite! asd 6 es reid veness is needed. 
ensure the existence of an. elegant relatively complete axtometization of this particular 
concept on its own. 


Thus we feel that it is natural and beneficial ‘to allow’ the integers into ones : 
reasoning language, in order to make ‘possible the ‘kina “Or *couitinig” we carry | out in. Pp 
(and later 0 on in R, P* etc). 


; Note that by: aciopting the "Hoare spirit" Ls structured, natural axiom systems, the 
remark in (67, pp. 90) “if the language is expressive” ‘gis Hivial'td wrke'down a 
complete axiom system for partial correctness” becom irrelevant, We are not interested 

ina one-rule system which has built inte it essentially the foil deacription of Hew to. 
Godel-encode any wff and how to construct the equivatent formuta of arithmetic, Rather, 
we want systems for composing our formulae step. by, step, using various kind | ‘of assertions 

- on the way. Of course, the proof that these systerhe: dre coli plete might involve relying on | 
the expressive power of arithmetic, and hence might call_upon.the use of Godel encoding, 

in turn making “the formulae ... be less than perspicusde"167}: (as is the case with our 

- completeness results which at various points require finding the arithmetical equivalent 

to formulae). Neverthiless, we believe that the Covietrhaaen of Whew: systerns, ‘contributes 
considerably: to the understanding of ‘the concepts ‘ft provides ‘thé framework tn. 
which the natural and intuifive' prooré one inight have for etd’ boprograms: can ‘be: formulated. 


ey 


8.4.2 Infinitary Axiomatization. 


In 1970 Salwickt.[591.introduced:an algeriehmic lagic: (AL) ‘which is. very: =, 
DL. in many respects, the main difference being-that AL iedietigned to: meason about 
deterministic regutar: programs ority: « Various Gedtont of: resaaath:- were followed ‘by: the ae 
researchers ‘at ‘Warsaw Writiated ty: Satwieki,’ rene nent —— 
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the problem of axiomatizing AL. (See [7] for a a survey of their work and can) for a 
comparison with DL.) . 


In this section we will not attempt to define AL, nor will we state any of the ~ 
results relevant to it. ‘We will, however, give a brief description of an infinitary axiom 
system IX for DL, derived frome that af C41) ra state Pharr cmermney theorem for it This 
theorem is essentialty due to Mirkow ka, y 1 
(supplied in (423) of the analogous | theorer 


The objective in constructing IX is entirely different trai that of constructing 
P; the idea in 1X is to provide a syntactical characterization of the valid DL-wffs, as 
opposed to the U-valid ones for. specific universes U,. _Cansequently, as we shall see, 1X 
seems to be inadequate for proving prop eted” "programs which Operate over 
specific domains, and which use functions and predicates over these domains, having their 
standard aes iia in mind. 


1X is an axiom system, which makes use of the following tm two rocks for dealing with. a*: 


The axiom = <a™)P Rid coetied ea 
“and the rule 
{( R2Ce!IQ Veg 
(00) Ciera: 
Rala*hQ 


Besides these, IX includes the axioms (A), (D), (2 and. (F), two rules for Vx, the. axiom 
[aK P2Q) > (LaJP > {a3Q), and a.more. complicated version of (C) catering for 


the case where P is a-general DL-wff. Also, (C) ts.e4 ferenc mule of IX, as is the 
CaJP . 


‘A. proof of a DL-wff P. in IX is a tree with rootJabeled by P, in which all paths 
are finite, and in which a node and its immediate ancesers are labeled in accordance with 
a rule of inference, the teafs being tabeled. with instances-of axioms, Surely, by virtue 
of rute (00), a proof-tree might: ‘be infinite; pene eer is that all. paths 


are finite. 


: 13 APT bm Pes: aati eS agwiper ety a gapee rs sae ie not 
meter eae OE Rare Pee eae 
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Theorem 3.18 (Mirkowska (41]): For every DL-wff P, FP iff. Fyy P 


Thus, IX characterizes the set of DL-wffs which are U-valid, in every universe U. 
P on the other hand, is designed to characterize the sets of DL-wffs which are valid in 
arithmetical universes, Specifically, assume A.is.some.a universe with, 
‘uninterpreted function and alpen symbols. The set of ‘A-valid, DL-wffs and the set of 


A-valid. first-order wffs are both, Il} complete acts. ‘Our. axiom system P. “gets its . 


n} power" from ‘axiom scheme (B);, Le. from taking the elements of the latter: set ‘as 
eae The rest of P then, can “afford™ being finttary. ms ‘also characterizes'a 

m1} -complete set, namely the set of valid DL-wffs (see Theorem 211), however it “gets 
its power" from the infinitary rule (90) rather than from the set of axioms (which. in the 
case of IX is res We can think of this situation as a trade-off between throwing. the 
bulk of the n} -responsibility on the axioms or on the inférence rules. 


‘another way of looking at the relationship is to note that since one can assert 
the existence of infinite trees, such-as proofs in IX, using finite sentences of arithmetic, 
it is obvious that one can indeed give finitary inference rules to supplement a set of 
axioms which includes all valid sentences of arithmetic, and still be able to assert that 
a formula has an infinite proof in the IX sense. 


Note for example, that the formula 
(*) nat(x) > <(xex-1)*>x20 


is an A-valid wff, but not a valid one, and hence the reader should not be surprised that 
he cannot see how to prove it using the circular-looking axiom for <a*> above. The valid 
wff which perhaps conveys the same idea as (*) is more complicated, and in it we have to 
replace nat(x) with a statement of the fact that x is accessible from z (standing for 0) 

via f (standing for successor), and that f acts on the set {z, f( 2); f(f(z)), } like 

. Successor does on the natural numbers: 
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(f(z) #2 0 Cyens (yer y)) *Heltly)zy)) 2 Exes ( net xR (neg x) oxe7, 
This formula is valid, and provable tn x by virtue of tach elernent of the set 
{ (rz) x2 1 Cyers(yerty Hetty ey) > “teeaslnettny Pc Cxeg( 9) y8>n=z Ito 
being provable. ‘This can be done for fixed + by applying the akigm above fot <e*> exactly 


i times to. ¢(x+g(x))™>, thus “unraveling the laap"-enough to.chtein x*2, (In fact.the 
proofs of each of these premises of rule-(00) do net-use (eo) again.) 
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4. Recursive Programs: aaa see “Logic, beideaes : 


sense we obtain context: Pe programs ‘over sim ‘and tes as a opposed to the 
regular ones: we had previously, 


The.development of the material in this. chapter & s strongly ‘affected by the 
analogy existing between, dn thé ore Hand;' the tihicept OF iteveting a captured by the a* 
construct, and, on the’ other, that of recurring weipeahtiby'the ance iia 
construct introduced .belew.:«T he-basic ideas presunt:in the: siom systems: appearing in. 
C19] and (23] fer proving the partial correctness of recursive programs are captured = 
concisely. by our box-rule for the recursive program construct, much as Hoare's [27] while 
rule is. concisely: captured by the rule of invartanee of Section 3.2: Purthermore, we show 
that this rule is. simply: en.inetance of-a principle af Rark (SKL.There ip seeminglya 
drawback to our treatment. inthe fagt.that.we do netprey. ide, tools, for: including any. kinds 
of parameters in the programming language, . Lhe, reason. ts, in. our, wanking to. achieve a. 
clarification of. the mechanisms.fer reasoning. abewt pure re ,. UE expe 
digesting the literature op this sub ject. indica: ad that, in most, of the cases the . . 
presentation of the basit principles suffers from being obscured by rules for dealing with 
the parameters (ie. rules of substitution, adaptation etc.). We consider one of the = 
goals of this chapter the elimination of these rutes and the expgsition of the. similarity 
between reasoning about iteration and recursion. | 


41 Definitions. 


The definition of CFDL. is, identical to: ‘aca Dl ae ta a different. sec of 
programs, mamnety CF, we of RG. : 


_ Syntax: 


We assume given, besides the sets of symbols of Chapter 2, a set 8 of program 
variables, elements of which we denote by XX, Xqy = ine Leadieed of f pregrem terms is 
defined as follows: . 


a) Every assignment xee, | test. Pp? or pre gran variable X€@ is a. term, 
(2) For aff terms Cprrtas, program variable: Xp, in @, and for 


every iz} el; Ty 5bq, TUT, and “XX, (CA) are. terms. 


The 4,X}..X,,(T},-)T,,) clause is intended, intuitively, to represent the 
program consisting of an execution of ©, where: the. ances of the. various. Xin 
the various T, represent T, calling T, ‘Erus, we have n-mmutiratty. recursive 


procedures: The:bulk of thiecchapeer ppmrrets teale eaaeee Cees varaasaies 
below. 


An occurrence:of X, in-a. term T is said to be bound: if is ina subterm of the 
form BX) wT; WF, }, ‘and: free otherwhe, iA: terme witty 90 free occurrences of - 
any program’ variable is caffed closed. The set T* of semi tovnt' to a vativet of the set 
of terms, and ‘is obtaiired’ ty tequiring ttiat every’ subserm of thE form” ; 

HX) X(T, ts closed. The ser" d OF ship were ot ‘MEN } ty’ Obtained 
from T by restricting the value of nin any subterm w oe the teen mm Pepe 
to be at most }. 


. The set CF of context -free programs is taken to be: ‘simply t the closed terms in 
T}. In Section 44 we sketch the extension of our results to the case where the set 


of programs is taken to be T = U'pol At this point though, we can omit . 
subscripts and, in the flavour of the semantics given below, can in fact adopt the - 
convention of denoting wXt(X) by tc*(/). Also, we have need only for one program 


variable X to-serve as a "place holder”, Thus) (yeyel Nou yoOPEPGS in: a tegal program = 
in CF. Context-free DL (CFDL) ts defined :just’ irae si eaticaal did 


Semantics: 


All we really have to do here is define, for every @€CF, the binary retation 
m(a@), over the grand universe I", which @ denotes. Inspection of the definition of CF 
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shows that in fact all we have to add to the definition of m in ee 2 is how to define” 
m(t*(/)). 


For clarification we will sometimes write €(X) fat aterm T which has free 
occurrences of X, and no free occutrences of any other X'e@. “Accorditigty then, for such 
T we may take etal’ to abbreviate: c with’ atl free ‘ovdtirrentes ofx Feptaced by the program @. 


Define ta) “at , and clel(g) z yr C20. Now define 
| MCHA) Hyp UTE a amel(fatset)), 
which to some eaten expat our use of C(/) to denote nXT( x) 
Example: Consider Eee eS : 
a: 1k; ((asotsyet) nv (asorierets) ;x protien 
which is of the form ease). The Following ts the pecans 1 elYeteet)s 


(Ge 0? sye1).u (2980? 3247-1; 
((2=0?;yel) u (amt sree); 
Pape rel) u 1 (20 seg: 
ie fatset; 
zerth; rere); ee 
zez+1;yey'z)) ; 
zez+l ;yey'z) ). a 


. One can check that in any state JEN for which: x 422, we have JFCz+x sc 3( false?) true, 
JFLz<x ;03( false?) Iys2, and for every nvi3.we.also:have Jhlzex: sO" (false?) false. 

Thus a, given x=2, computes 2 in y. In general it.can be seen that in the universe N of 
pure arithmetic, we have that m(a) is the binary relation {(J,9)] J = U(x p!/ylt }, and 
thus @ is a program computing factortal. over the paperal neamivers a : 


One can see Aen that (L,Pem(e*() iff there exists an integer. n such that 
(J,J)€m(c"(false?)). In other words the. intuition ts that.’ “executing” a recursive 
program €(X) which “calls itself" in effect at each. a ce of X, is executing, for some 
n, the program consisting of alowing calls of at most “depth” n.- ‘Thus, : a successful 


60 


execution of the factorial program above, which is of the form z¢x;(8U 73X38) *()), 
is any successful execution of z¢x sy! 38 ;6! for some i. 


(We remark that in fact this definition is in perfect agreement with fixpoint semantics of 
recursive programs, as defined, say, in {41.or (5)... Using terminalogy from these papers | 
our T's are all continuous over the domain of binary relations, and therefore aes ad 
meaning of #,X;..X(T,.,C,,) tobe: the {'th companent of the feast solution of 

the corresponding system of relational equations, in the sense of [4] and [26], is, by 
Kleene's [30] theorem, consistent with ‘our definition ofim( T*(f)) , oF wn( wXT(X)). ) 


In the sequel we will need some additional notation to aid in constructing our 
rules of inference and in conducting our meta-reasoning. Note that any program e¢CF | 
changes the values of at most the elements of var(a), all of which-are variables. ‘That 
is, @ cannot change the value of any second-order function symbol-or of aryy predicate 
symbol. Consequently, we weuld tike to-make it possttle-to tak abont binary relations, 
such as those represented by programs, in a first-order framework. We do this by defining 


an augmented pregramming language CF' in which.there:are programs corresponding to 
these relations. , 


Formally, the set CF’ is defined as. follows: 


- For any L-wff P and vector of disjoint vartibies Z, pz is in CF. 
- Any assignment xee or test P? is in CF’. 
> Any closed term c*(fieT ds in: CF, 


- For any @,BECF, a38 and aus are in n CP 
The meaning of P- is given by the following, actticionat clause to the definition of m: - 


m(P“) = { (1,9) $= EV /ZI0 tor some vettor V-of elements from D4, and 
a Wg EER 


Thus, P is thought of as having free variables Z andZ', where Z' (in line with the rematk 
in Section 2.2) is a vector of “primed versions” of the members of Z. Thus, for example, 
(x,y)' is €x',y'). Intuitively then, P@ is the program which aséigns '( nondeterministically) 
to Z any value V such that in state J P is true.of the value of Z mh J and V. Thus, p2 
“achieves” between J and J the retation induced by'P(Z,Z). — 
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Example: With Z=(x) and P(Z,Z’) being (x'=x v x'=f(x)), we have that 
(PZ) = ml true? u xef(x))). a 


Now, CF'DL is defined precisely as CFDL but using CF instead. of CF. Of course, we are 
interested in CFDL, not in CF'DL, but need CF'DL in: which to carry out our reasoning. Our 
axioms and rules. will take advantage of-b gable, in arithmetical uniyerses, to oe 
construct an “achieve. program” of the. form. pe toe respond | ta.a given "real" program. 
Note that we could have defined CF" simply by. adding. P ‘constructs to. the. set of basic. 
programs (ie. besides assignments and tests), and then defining CF’ to be the set of . 
closed terms of width 1. However, we want to. outlaw the possibifity of. pe appearing in 
-T(X), and then being "*-ed", ic. we do not want programs of the form t*(/) in which T 
_ includes an "achieve" program. The reason for this will become apparent in. the proof of 
Lemma 4.6. . 


4.2 Results. 
Theorem 4.1: For any arithmetical universe A, et is A-expresive for CF’DL. 


Proof: The Theorem is proved similarly to Theorem 32, but here: a slightly different 
treatment for €*( ‘f) is necessary. It can be shown, by’ the encoding of finite sequences of 
elements of the domain of A (deseribed in Section 3.1), that there exists, for every term 
T(X), an L-wff ITR_(n) such that for every n ITR Cw). “expresses” 't"(faise?), inthe = 


sense that m(ITR, (ni?) = m(T"(false?)), where Zebar(t). As in Theorem 3.2, if Q, is 
an arithmetical sativulonk of Q he an arithmetical equivalent of <e*(fQ is 
4n3Z'(nat(n) AITRE(n) A (QZ). | 


We now show that in fact RC is embedded in CF. 


' Lemma 4.2: For every acCF’, 
m(a*) = m( (true? ua;X)*(f)) = m( (true? u X3a)*(/)). 
Proof: m(ea*) = U0 m(a!) = m( true?) Um(e) u m(a;a) u. = 
m( false?) u m( true?) u ma struc?) U m(erserjtrue?) U = Ulog m( (true? u 
0 3X)!(false?)) = m( (true? u a;X)*(f)) . Similarly for the second’ equality. 


os AS see er ROP HAR 6 SNPS oles tei RE Tas hs — . 
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A counter example to the other direction of the fact implied by Lemma 4.2 is the 
following program a€CF, for which it can be easily shown that there does not exist any 
AERG such that m(a)=m(6): 


| Ctrae? u (xet(x) 5X eee (x) MY). 
Thus, CFDL falts between: Di. and:re.-DL (see Section 2:35). Cision, Theorems © 


2.8-2.11 are true of CFDL: seleinea racanaimte le tn tere’ with fhe-open y problems of 
Chapter 2; blasiedathiterietreniiaindaiatiiaitenn dl : 


Open Probiem: is DL < CFDLT 
Open Problem: |s GFDL < re:-Db? | 


Note the analogy between a* and t*(/), which can be clearly seen by relaxing 
_ Notation and writing 


et: U9 a" a fps Vireo =n false?), 
Ce*JP = Vnla™P EC*(PIP = Vnte™(faise?) IP, 
<a®>P = 3n<a">P . <0 ADP 2 act saalleed 


In the sequel we will write ZL to abbreviate Ag h2?8'1, 2 and will assume 


that-for programs of the farm P“, Z and’Z' appens-in.that-erdes.in the parenthesised list 
of free variables of P. Thus for example, P(Z",Z') will abaceviate PG: Furthermore, 

_ il asame Got nthe context foe waives U, oe Mem of 2 Zr etc 
consist of uninter preted variables. 


We now show how to express he fact thar ®2 i an upper or lower bound on the 
relation represented by a program «a, using DE notions.” 


Theorem 4.3: For any universe U and «cr, if Z=var( a) then 


(1) Ry(Z'2Z > CalP(Z',2)) tt ma) & m(P), 
and (2) ky (P(7,Z') > <eoZ'=Z) tt m(P2) & mia): 


Proof: (1): Assume Fy(Z'eZ, > LaW(Z',Z}) and esseme (1, Peeel en). We have to show 
that J=CV /Z.1J for some vector V of elements of Dz, and that [Zg /ZIJP(Z,Z'). The 


- by (J 


See So Rs ie pile et on Regn op es ho og See ae en ees caleatind Ra Seer Re en PRES bce ape Ba ole ME OS ARNIS Sayer, 


first is trivial by the fact ct that. Zener @), Now, by: the definit » of. m(a), and .. 

since a does not change Z', if (J,$)¢njq) then alga (S$) ten(ar), where PZ /ZI1" 

and f° = (24/721 = = (Zy/ZUL, / 713. However, by the assumption, since we have 

constructed J’ such that J°*(ZZ'), we must hae PPE) or hg EAL f 21a) Ait); 
_ which is the same as saying her /TAWMT. 


er 4; wim nalts, ani seanee lancer sere JeU a hes Ire, 
and that (J,J)€m(a). We must show that JPP(7',Z). By assemption, (3,9)€m( . 
that (7.4 / ZVPMZ2Y, which oy: WUE} ts aw ewe 
Jemla we know that; Aly/ Die. : oe | 


ta Be. PPE A, . a wt 


(2): Assume FyCPIZ, z) > » <a VPaZ)Y, iia nse (3, Yen PA)! ws prove pe . 
By the second assamption, f : oogonia eimai TCE 
Lg 019), dig / 2h g / FD eek). The en canenmate tha: 

(ds, (2 79 ea) bet tm om va apne) - 2 that me Sy 
and. hence: that: ChB emf)... ee rere 


net oe 
Late ae ee 


Conversely, assume wintycaaih and thet for some Jeu, erey.z). We shaw the 
existence of J€U such that (J,J)€m(a) and Lyty. Take § to be UZ; 7233. . 


Certainly Z'g2Z.4. Furthermore, by the sen sine TEFEN te 
, shee (dfn 1 


simply J. Mealf, and sna, aswumed that pee ie fides bana at 
hence (J,J)émfa), . Be, : 


places in the Merature, and pe ps tic ia r we. Te ' 
an 03). grentions | 


We caw crasitwesa tacks. afl derived fromm well Known poperties 
relations, functionals and least fixpoint. However, since we will use them in the next " 
ee re ete 
m(@) for some @€CF". 


Lemma 4.4: For any @,a a'eCr and term <x), if mamta) en ma Eta) Sem eC), 


Proof: This tthe moaloniy of cur over the domain of binary relations; and we 
omit the standard proof. & Aa 


ey. 4 
‘ : 
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— Lemma 4.5 (Park (511): For any @€CF" and term “e( x), rma) ema) 
then me emla). ° ‘ 


This is s Park's £511 Fixpoint Induction Principe 


Lemma 44: For every ip, @),~-€CF', and term cD, if mika and if cannernore” 
for all i20 we fave sith image it then for ait 10, gre ape sia lis 


_ Proof: By induction on 4. For i=0 we have mn) Si cfg) nm (false?) 1 


(U% 2g m¢ €"( false?) )) =m t*(/)). Assume thle aml ee(F, so that by Lemma 4.4 
m(T(a,)})em(c(T*(f))).. Thus we have m(ar,,3) Se( T( @,)) em(c(c*( i) ). However, . 


one can show by induction om the structure of €.thava{ 0(U oF" (false?))) = 


Ut=0 MT(T(false?))). “(This follows frony thie continuity of T over: the domain of 
binary relations; cf. [5]. We tote that tds would het have beer trae in peweral if CF" 
would have allowed achieve programs:of the form pé to appear it the térrhs:)’ And so we 
have m(a,,1) < U~ nel AS ee Jem(TH(f)), . 


4.3 “Axtomatination « of CRDL. . 


In this section we present an arithmeticalty comple anctom system R for proving 
the A-valid CF'DL-wffs; as a corollary, of course, R is arithmetically complete'for CFDL — 
too. In the sequel then, A is any arithmetical universe, and we adopt the same 
conventions regarding formttae with appearances “offi ni, th, ‘ae et Settion ‘32. aN the 
“achieve” program corresponding to the L-wit Pla, z cae wit be denoted’ by Pind’. 


Schade now the following axiom system R for. Crp. 


Axioms: 7 , 7 
cA F) from P, 


(KY £P71Q = (YZ"(P(Z,2") 2) for Lewffs P and Q, 
(L) (P> peg) > ((PAR) gukdauies where var(R)Qvar(t)=4 , 


Inference Rules: 
_ (C) and (H) from P, 


zoe aed . : a ‘ a : - 


(M) 297, 2 Ce(PANIPLZ, 2). 


aL 2 Ceo Iz 2) aaa aye! be, OF caste 
(a)* inca aiily ” sehpiny VBE. sR a ip, ma a: 5% 
son, ey arene WS BW Si 


 P(a,Z,Z) 3 MDZ ee eae a Whage. Zawer(€), of ver(t), 
ae mn, aye 


Provably in is dfn ma The it-aliows 


Lemma 4.7: For any L-wffs T. and P(Z.Z, cro tm €(X), the: 
following are valid 
() Eparpe ZED? 2% coe Oto 
(2) (5 >a =e eto hare R) ert 94 
ate yey e 
Proof: Stepightforward from the definitions. bee a. 


i 1 a : reer EE Phe ~ 4 oe on 
Raat Pa we OR ee An as 


Lemma 4.8: oe sny-onteene ike : 
by (72Z 2 teP@)aP(Z,Z)), 14 then, ne Pel, D208 


tt 


Proof: By Thesrern43t1)<thie ippiattgst 


principle (Lemma’ 45) we obtain mest) b 4OP ypu 
precisely the conctusion. 8 io 


Lemma 4.9: For any ‘L-wit aeeelaent ven we sre) ak ort 
rac PlOZ Yaad Serta ae 
+ ‘alPln, L0) 34 =f) f 


_ Proof: One can show mikey PO nh het ‘i va i 
Furthermore, by T' Wy by ae t sneraptien 
— m(P(nek)é Den tPoOT By Lonwna Leohiaa Caine 66 to 
~ Thus, seinen (EP a RAYE, 


BS ead ate ee sles erayerid) SP Bn ae ee ae 
ZR 


eee Ges gt PR ee 
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Theorem 4.10 (A-soundness of R):. For any CF'DL-wit P, if Fp P then FP. 
Proof: Follows from Theorem 3.6 and Lemmas 4.7, 48 and 49." | 
_ Again we will. apply Theorem 31. to prove: the arithmetical completeness of R, but 
we are required first to prove the appropriate Box - ae Preaek semeieeeoon, eres 
These will be established ‘with the aid of: aN 
‘Lemma 4.11: The following acre et eS ee aaa and: cme 
(M) ZZ > Ee( pA 3p(z2). RaePZaQ 
R>t*( IQ 


(NW) P(ne1,Z,2") > e(P(n)”)>727! » POZZ R2IncPEn) Q 


Phebe eee 


R><c*( PQ 


“Proof: (M'): Assume t ptZ =7 > £e(P2)2P(Z'2)), We apply (M) to abtain 
bp ZeZ 2 COA IP(ZZN). Using axiom (L): wept (ADVE no 
(V2) (P(Z,2) 205 )) 2 LEM UP(ZZ) A VEN PEIN), from 
which we deduce’? po( (MAH PCZ,Z92QG). ides Thani by:aniom (K) 


and the: sécond ‘assumotion: the comdleeion follows. 
(N'): Simitar to (M’). ihe 


Note the similarity between rules:(1') :and- {F).of bernren 8.1 en one_band, and (M') 
and (N') on the other. Hete ton, for the [T"(/)) case-qre-are.quentiaily Jooking for what 
we might call an ee P under the application. of T, which Js, Shetween" Rand Qin 


the sense of R>CP~ IQ. For the <t*(/)> case we are “counting” thé number of applications 
of! Toe) Ee Ser ne to seeming tn8 ates . 


‘We now show that. tule (M') can indeed always be applied whet iss ‘conclusion bs A-valid. 


Lemma 4.12 (Invariance oo for. CF'DL): For evety teim CCX) and CP'DL-wffs 8 and’ 6, if 
& , (R>CT*(£)3Q) then there exists an L-wff P(Z,Z') with Z=var(T), such that 


F,(R2CPZ1Q) and F,(Z'sZ > Ce(P2)3P(Z',Z)). 
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Proof: Implied by the way Theorem 4.1 is. proved | is the fact that there exists a first, 
order formula. of arithmetic P(Z,Z’). which “represents” the, program “i, in the sense that 
m( P2)=m(e*(f). Certainly then, by the assumption, we. bgve b yf R>ULPZ 1Q)... Also, as. 
“noted in the proof of Lemma 46, m(c(t*(/)))anil €*(/)), ‘and id we’ have on ©0729) emt PD, 7 
which by Theorem 43(1) is hg(Z'2Z > CeCPA)IZ2)). 


Theorem 4.13 (Box-completeness Theorem for CF'DL): For every atCF" and L-wffs K and Q, if 
Ry (RCAIQ) then Fp(RCeIQ), 


Proof: The ‘raat follows Theorem 39 precisely, but uses 8 Lerma 412 and rule CM) 
instead of Lemma 38 and mle (Pr). rT 


Lemma 4.14 ( Goh verginice Lemma for CPDL): For every term 0X): and ‘CPDL ~wfts R and 1Q, if 
F , (R><e*(/95Q) then there exists an L wif PCii,2,Z') such’ that page % 


bA(P(nel,Z,Z) 2 <e(P(n))>Z2Z'), by -P(0,Z,Z'), and Ig(RoancP(n) 20). 


Proof: Again, by the method. used in. the proof of Theorem. 4, there exists an L-wif 
P(n,Z,Z'). representing €" (false?) in the.sense that for-every.n-we have 


mP(n) @)emt eM false?) W is easy to ne thet alt thraesh-waliten 
hold for P. a 


Theorem 4.15 {Diieepaoeniienes Theorem for CF’DL): iba every — and L-wfts R and 
Q; if b ,(R><a>Q) then F pl R><a>Q). 


Proof: ‘Precisely as Theorem 3.11, but. using: Lemna 4.14 ‘nd baaaad me, ‘Instead of sarees 
3.10 and rule (J’). | 


Here too we conclude that for CFDL-wfts, A-validity and sean in R are 
equivalent concepts: 


Theorem 4.16 (Arithmetical aes and Conpiacnas for crow For every CFDL-wff P, 
By P ef kp P. . 


Proof: One direction is Theorem 4.10, and the other follows from Theorems 3.1, 4.1, 
4.13 and 4.15. a 


«68 


We remark that the ta} part of R, in parttcutar the derived rule (Mt), conveys 
; the essential ideas appearing ‘the axtom ‘systems of C193 ana 1233 for’ proving” the | 
__pattiat cofrectness of recursive programs: We fave essentially ‘sWeww that the central 
idea in these axiomatizations {refered to in [23] as.the. “freezing of the variables” 
method) is in fact a rephrasing of Park's (513 induction. priacigie ina Jogical, framework. 
Rule (N) for <t*(f)> is very stmilar to the rule in (637 for Proving the total correctness 
of deterministic recursive, programs. 


The results in this section indicate that reasoning about “pure” recursion is 
analogous to that of reasoning about regular ones. pes we are Se | the integers to 
count how "deep" we are in the-recursion (using P{n)” )- for @* we counted how 
“far” we are in the iteration. Other than having to devise the | machinery, there was 
», ne real. difficstey ‘at this point in extending the methods of Chapter 3 to recursive. 
programs. In Chapter 7, though, a reassessment.of this claim will, become fecessary. 


An interesting remark, ‘which we do not elaborate upon ror jostify farther ‘here, is — 
the fact that the proof method for formulae of the form R>[eJQ which is incorporated into 
R boits down to Floyd's T14 iniiuctive assertion *h08 Wid to Morris and Wegbreit’s C45) 

' subgoal induction method respectively, when regatar progratn’ ure'triretated :inew recursive . 
ones via the two methods: appeacing-in Lemma 43. Fhue-the quality .koklitig between these 
_ two methods shows up nicely as stemming from twédual ways of viewing a*. 


4.4 Mutual Recursion. 


in this section we briefly indicate how to-extend the axiensatiaation of Section 
4.3 to the case where the programs can be mutually‘vecursive. Specifically, we consider. 
the programming language MCF (giving rise to the re topic opal which is the set of all 
simple:closed terms, ic. T = iol 5 


We do not provide here a precise definition of m(#, X~X, (t, at, yy, 
‘but’ rather-asseime that the reader is fartiliar with the wandered definition of: it (ef. £3) 
or [26]) as the i'th component of the least solution of thé system of ‘relational equations 


69 


Xp = Ty (Xp miXq) 


Xx, Fe nO Kppens ; 


where the ordering on the binary relations is that of » set Inchuston. 


The axiom system MP ox MOFDL. bs coharucnd ago oR. Axiom (L) is 


rephrased for a general #-term as . rere se 
(L') (Paw X)—X, (Cy ty )3Q) > (PAR) >, hy (iy DHA), 
where var(R)Mwar(t uut, =. 
Denote by # (ele the ‘Program _ a 
BX Xi 1X i-Xp Ce, Xpoerk aX ppoKe) cane spor, me XeirrXn ). 
“ je) is the program # Pie WFpt, ) in which the fth “pre e 


replaced by the program a; wherever a andl te tania be Ge: prone in which case $j . 
is to be executed, a ‘is executed iristead. 


The rules for the recursive constructs are 


(MY ZZ, 200,444 64,P2) 9, 4 1,P2) P2094 (1sP2) potty 12) JP(Z",Z) 


ZZ, 2 Uw .XpX gC (Xj oXq) bg XproXq) )IP(ZZ) 


where Z=var( TUUT,, ), 


(nN) 
PC m4, 7,,2°) > E(u (,PCn)2) a, 1G, reshma a P(n)2))>ZaZ" , 
POZE) | 


wihiee ates wal ) and 4 ove, ). 


te should be cfd this the jkernons of lth: thane init isetlee sheaghains ‘of tees 
_ complexity than their Se ee ene EG FEE TTI hate 
involve “at most” terms in T fl ° , 


One can A an mad eteitaas by dtd arpa stages tat ftw 
in Sections 4.0 and 430 ae tebe hes oe. 


| We renal that rule (Mi) tt ne partial | 
correctness of a ee ; 
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PART II: Computation-Tree Based Logics. 


_&. Computation Trees, as 
Total” Correctness and Weakest Preconditions. 


Up to this pale’ we have been developing. mathematical  bols,_ haeiely the various 
dynamic logics, which enabled. us to write, down and: ‘prove in formulae which made 
_ assertions about programs. Ih Section 2.2 we commented to the extent that some, an 
conventional properties of programs which have intuitively plausible meanings, happen ‘to 
be expressible as simple formulae of Loner logic. 


In this chapter we show that an Important property of program, canines its so a 
called “total correctness", does not have a straightforward. intuitive ameaning, and | that 
its definition. requires careful analysis of the notion of “exe ‘a program. In fact, 

the definition of the total correctness of a progrant.epends upon the particular method of 

“execution one has in mind. Consequently, it if net at all clear « priert whether this 
property of a program can be expressed: in dynamic fogic. An upshot is the fact that the 
closely related notion of the weakest precondition (wp) of a program, although introduced _ 
by Dijkstra in £13] and used. extensively in the Hterature, has not received aproper 
definition in [13] or in (141. The objective of this chapter is to carity, and to daca’ 
define, both of these concepts. 


. In Section $.1 we motivate and introduce the problem. Section 5.2 contains a 
refinement of the binary relation semantics for our programming language RG, using 
computation trees, and giving rise to the two important concepts ‘of diverging and 
failing. In Section 5.3 we introduce four plausible methods: for executing _ 

nondeterministic programs, ‘by. describing four methods. for traversing computation | trees 

in search of a final state. The. total correctness of a program is then defined as being 
dependent upon these methods. In Section 5.4 we use these ideas | to define the Poe. 
corresponding weakest precondition which similarly ‘depends « on ‘execution methods, and to. 
analyze each of the four resulting ws as to whether they satisty the properties required - 
of Dijkstra's wp in C14], We find that two of them do. ” n; in ‘Section $5, we define ; 
the guarded commands language introduced in £133, and carry out a formal analysis aimed at 
showing that Di jkstra really had in mind one particular potion of wp, which corresponds 
only to one of our four execution methods, namely depth-first search wjthout backtracking. _ 
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5.1 Motivation. 
Let us look at two examples. 


(1) It is easy to see that any DL-wff Pla) involving the Satan jedaiies has the 
property that P(8) is equivalent to P(#") in every state, ‘where B is taken to be (xe) 
and 6 tobe (x+e u (yee! ifelse?). This is simply because m{Aam(s"). ., However, we would 

like to be able to state that iO is “executed” by the processor ” ch ‘ 
components of the U connective and exécuting it, then if yee’ false?) happens to ‘be 
chosen this “execution” wifl not terminate. 


(2) Similarly, P(y) is shies equivatent to P(7'), where 7 is.taken to be 
(xee) and 7' tobe (xe; 3(xex)*). Here too m(y)em( 7" », but we would like to 
be able to state that if (xex)* is executed by the | reason: id bec 
at each step either terminating er executing xex, 38 


xox 


then there isa possibility of never choosing to terminate and ‘thence executing KX “for 
ever". 


We would like to refer to the phenomenon itustrated ~ example w as a failure 
and to that illustrated by (2) asa ee gree 


Intuitively, a failure indicates reaching a false test with no immediate 

alternative at hand. In example (1) above, in order’ to carry oat ‘the alternative xte when 
the false test is reached the assignment yee’ must be “undond“; thus the aiternative 

entails some backtracking and is therefore not immediate; ‘éon , there #6 a 
failure. ‘However, the if P then @ else B construct ‘which is {Pie 
2.3.4), should not contain a falfure although one of the bests wi be ae whenever the 
construct is reached ; here there is an immediate alternative at ’ x 
what is more popularly cafted ‘an “ipfinite loop”; Le. a coe stati hat does not 
terminate. These two concepts will receive formal defis tio ih : the 


‘What we are interested in defining, i & precise noon of the tte correctness 
of @ program a, with respect to assertions Rand Q, to mena intwitty * 
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true, then "no matter how a is executed" (i.e. "no matter how choices are made") it is 

the case that @ will indeed terminate in a state satisfying Q,- At might seem plausible at 

this point that we would want this definition to be such: that Band y are, but 6° and 

y' are not, totally correct with respect to true and. true, An other words, it might 

seem that the possibility of either diverging or failip 
totally correct. We will see in Section 5.3 that this je bot theicase. In fact, we will 

show that the four possibilities obtained: by having the presence of a divergence / failure 

affect / not~affect.the tetat correctness of a-prograsi, correspond: sity 

different methods: of execution of nondeterministé’ pregrains. > 


~ We now set up the technical machinery we need. 


5.2 Computation Trees, Diverging and Pailing. 


in this section we introduce the notion of the J-computation tree ‘of a program @, 
denoted by ct(a,J): We'present some Properties: of computation treet and’in particular - 
show that one might’ view computation treés-as. an ‘dkernitive Sevlantics for thie sét‘of = 
regular programs RC, consistent with the binary relation semantics. The trees however, in ne 
addition to the input-output information, contain Wiich ‘hore? tor @tample, ‘they’ contain | 
‘information regarding the presence or absence of led aaa and flees 


Each node of ct(a,J). will be labeled with a state in T' or with the’ ‘symbol F_ 
(denoting failure), and will be of outdegree at most 2. “The root ts Ipbeled with J and 
nodes labeled with F will always be leaves. The intuition is that a path from the root 
represents a legal computation ofa starting in state’ 1 ‘‘Atbordthgty,’ leaf repreients: a 
termination state if it is labeled with a state in I’, or a failure if it is labeled with 
F. Any node with descendants “represents an intermediate state of @.: If'a node ‘has two 
descendants then there is, so to speak, a choice as Yo Now td “continue execution”. 


A node will be represented’ by a pair (t,l), where t is a ‘finite string over {0,1} 
describing the location of the node in the tree by 0 denoting “go left" and 1 “go right" Poet 
and I (the label of the node) is either a state in T’'or the symbol F. ‘Thus, for 
example, the tree 


is represented as {(%,I},(0,S)s61,$),(10,F),61,9"2J- As cam-be.s0en, A, the empty. 
string, marks the root of the tree. By-convention, a single .descendant.is.merked as 
"going left", ie. by 0. 
In order to define ct(a,J) we first define a preliminary tree per(e,J ) in which 
every false test will be indicated by a failure node. ct(e,J) will then be obtained from 
pet(a,J) by deleting those fatkire nodes fos. which there is.an: inqnediate nan-faikure alternative. 
Formally, for any J€I” and @€RC, we:define, by induction. on the structure of a, 
the preliminary. computation tree pct(a,J). to. be asubset.of {0,1)" x.6P u {F}). as. 
follows, where we use |.ta,range-over (I'v (FP), ands, sehen over. {0,17 
CL) petlxred) = (0D) O,ley /xI9}, | 
{(A,J)} if JbP 
(2) petP?,1) = 
(3) petlaud,D) = (OD Du (ODI (olde pera, EU LAD CD epeB,I)), 


(4) le E= Me epatend $e n (Yoeloa NC MIGCTUAED Came pe JD, 
—_ and at, Gs petla,1}-E. Then. 


potla3A, J) = Cu {(ts,1)} (39), $96.0 ee : 
(S)  petla*,J) = pet (true? ua;e*),J). 
Note that clause (5) might give rise to an infinite tree. 


Now obtain ct(a,J) from pet(a,J) by deleting some of the failure nodes as follows: for 
any t€{0,1}* and J€I’, replace every pair in.pet(a,J) of the form (t0,F), (t1,J) by 


TS 


(t1,J), and of the form (t1,F), (10,$) by (10,9). Thus-we ase ignoring false tests which 
occur as a component of the U operator, when the other component is not a false test. 


Examples: We describe by means of simple diagrams, some ¢ computation trees for various «. 
In each case, whenever they are not identical, we give both che inary tree pet(a,J) 
and the final tree ct(e,J). In all the examples J is some fixed state of the arithmetical — 
universe N, for which x 4=0, ajid in the diagrams we let 4 @enote the state Ci/xJJ. 


a pet(a,J) ct(ar,J) 


x=07 ;x©x+l U x<2?3xex+2 


x20? sxex+] U x980? sxex+2 


x=0? U (x=0? u x=07) 
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x©x+15(x=0? u (xex+1;x=17)) (0) (0) 


(xex+1)* 


(x<2?;xex+l)* 


(x<2? peex+l)*;x=27 


and while P. de. (eS 34 de no i ater than the savant oes Hy 
inside 6 on... Oe ores te Ment gg Hagtey st 


Lemus 54: For every, méERC, le(KulF }) and def, 
(1) there is a unique node (A,I'), in.o(a,d) ‘ipconine TeATUF P,. eed 
(2) for every t¢{0,1}* there is at most one node fo. ct(a,J) of the form (t D, 
(3) for every té{0,1}* and. b€{0,1}, if spaeee st) then (ud lgelet) for: 
some $€F. 


Proof: Omitted. a 


Thus, for every @ and J, ct(@,J) isa nonempty possibly infinite 
outdegree with nodes fabeled with elements of T “UfF}.. Nodes ¢ the forn 
(t1,1) are cafled descendents of a node of the fo Ge dae 

is called a leaf. By Lemma 5.1(2,3). all nodes rer eaves 


We now show that computation trees subsume the binary’ rétation semantics of Chapter 2. 
Theorem 5.2: For any a€RC, (J,$)€m(a) iff ce(a,J) hasa leaf labeled with J. 


Proof: By induction on the structure of a. |! jenote’ by Jai vie det (31, Ja$}, and by 
s(a,J) the set {J there is a leaf of nite) sabetidd whet FE WE prove first that Je 
= s(@,J), and then the result follows by observing that the transition. from petla,J) to 
-et(a1,J) does fot delete any riodés which ev FI." | 
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For an assignment, we have J(xee) = {Ley / x]J} = s(xee,J). For a test, if JesP 
then J(P?) = 6 = s(P?,J), and if dep then 10) = {J} = = (P29). 


Assume Ja = s(a,J) and 38 = s(8,J). ——— then by definition of 
E={(t,9)] 4esa,9)}. a, one can see that “asd | 
CU ges(oy,9) BH) = (Oger gq) 158 = (FI (SITES Nn $00) = = J(a;6).. 


Similarly, one can show that s(a*,J) =U neoste” 3) = ue. ode") = I(a*). | 


It is therefore the case‘that, with J rangi bree Ti the leafs of ct(a,J) which 
are labeled with states convey the input-output information contained in the binary | 
relation me). ‘Note that ti this Fremewor Shea P: ateeene eeitewee fh elie, J) of at 
least ofre leat: labeled ‘with a site Whidldatttiey P: Simtahy, JMCNIP asserts that P 
holds in any state which tabets a leaf in ct(a,J). However, ct(a,J) contains mach'more | 
information than is contained in m(a). In particutar we pow define, for every: program a 
@€RG, two Boolean constants loop, and fail, ‘which sitet’ ve: rv os 


being true in state e It iff & can tbo Yl ety, 


Forinaiby: we define 


JFloop, iff ct(a,J) ts infinite, | | 
Jefau, iff ct(a,J) thas a node labeled with F. 


Note that, ct(a,J) being of finite outdegree, we can apply Koenig's lemma (see 0313) to 
conclude that in fact  TRloot itt there ekists an’ by u t posh froth the rout; ie. ie 
there is an infinite sequence of ‘nodes in etla,Jy ee | 


OD), Cy Ty) s (Bb ged Q).— 1 (Dyed — 
Hence the term “divergence”, 


An interesting problem js that of determining how hard it is to decide if a 
program diverges for “uninterpreted. reasons". _ Fermally: 


Open Problem: What is the degree of undecidability of the set of valid formutae of the 
form Paloop,, where P is an L-wff ? 
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We now prove some properties of'loop., and fail, which. wil! be needed in 
Section 5.4. However, the main erat treatment of sada — wit be given in 
Chapters 6 and 7. 


a) bin p* pe cadlapy ¥8 me 
(2) fail, . p > (fally v <aDfali), - 
(3) fail, > fail, 5, te 
(4) Calfelse > Yai V l00p—)- 


Proof: (1): Assuming Ihloop, g; consider an infinite Path from the root in 
ct(;8,J). It is easy to see that either that whole path, apren ry in.ctla, N, ora 
finite initial segment of it does, and the rest (i.e. an infinite path). appears in 
ct(B,J) for some $¢( Ja). Conversely, an infinite. path. in, either, repel) © crin 
_et(B,J) for some & Ja), " always, show up we aleeyt). 


(2): Consider a failure in ct( 38,3), and” assume, » that wie, and 
JF-fails for every J€( Ja). “The F-node in alas) appeared in pets I), and 
also in either pet(8,J) or in pet(B,$) for some J€( Ja). However, for it to have been 
- deleted in the process of constructing ct(a,J) Pte! it had to have appeared (wig). | 


ina subtree of the form 


This subtree appears also in pet(a;6, 1 ), and the F-node would have had to be deleted 
from it too. : 


The proofs of (3) and (4) follow similar reasoning, and are omitted. t | 


Note that a counter example to the other direction of Lemma 5.3(2) is obtained by ; 
taking @ to be (true? u xel) and 6 to be xt, When x x 420, ¥ we have (J, J)ém(a@) and 
Ikfailg, b but Te-fall,. sp . . 


~ 60 


5.3 Execution Metheds and Total Gorrectness. 
In this section we define four algorithms for traversing the J-computation tree 
ct(a,J) of a program a&€RG in search of a final state; ie. a leaf of ct(a,J) of the 
- form (t,J) for some J€I’. The algorithms will outpwt.this stare J.. Fhen we define the 
_ notion of total correctness of a program @ with respect to eau conditions R and 
Q as being dependent upon the methods. 


We use informal terms for describing our algorithms: 


Depth Search (D): Starting from the root of t(a, J) proceed down the tree by moving 
from father to son. Whenever a node with two sons is reached one-of them is chosen 


nondeterministically and traversal continues on it The process te terminates when a leaf is 
reached ; its libef ts takéri as the result. 


Note that if JFloop, holds then, using method (D), ‘tt inten be the case that the 
particular sequence of choices made along the way y will result in the traverial proceeding 
along an infinite path (divergence. of a) and hence never terminating. Also, if Tefatl, 
holds, then that sequerice might result in the traversal arriving,st a failure leaf and 
thus producing | F as the resutt 


Depth Search with Backtraching (DT): Asin (D); the istics being that if a leaf 
labeled F is reached the procedure backtracks to the madst:recent choice point and tries 
the alternative. If that has already been tried it backtfacksite.the next recent one 
and so on. If the tree is exhausted this way execution'terminates with F as the 

. result. 


Note that here too, JFloop,, implies that the traversal might continue for ever along a | 
divergence. However, the existence of at least one non-F leaf, (which can be asserted by. 
Je<a>true) guarantees that even if Ie fat,, holds the traversal will not end with F as 
the. result. 


Breadth: Search (B): A nonnegative integer k is chesen nondeterministically. Starting 
from the root the procedure moves down the tree from father to sof. ‘Whenever a node 
with two sons is encountered track is kept of both alternatives by working in parallel. 
When any leaf is encountered its label is added to an initially empty set RES. When 
' depth k of the tree is reached, or when the tree has been exhausted, RES is checked 


SM A Cc SE I RS AR 
F fog 
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for emptiness. If RES#_ the traversal terminates.and.an element of RES is chosen 
nondeterministically.as the result,..Jf RES and the tree has. pot yet been exhausted — 
another integer k'>k.is chasen nondeterministically. oh SR DES 8 continues 2 as 

_ above. Otherwise.the procedure terminates. with E as.the Peet. 


(Remark: the mechanism of introducing a cheice-of an.énteger kis resent: in one to 
render each leaf.a possible outcome of the sirens Aol read hfe i 
_ would, favour higher, Jeaves.) . ge 4 ae 


Note that here if. db fatl,, holds then. the F symbol might.¢ end. up be be ng the result, as a 
consequence of a pertigular choice of k-and ofthe. lenient ip, RES. Howexer, df at Teast. 
one leaf (F or other) is present, then even if Shjcepbolds.theprocedure.is 
guaranteed to terminate eventually because, RES wilt Poconos gene at, sore point. . 


Breadth Search with Ignoring (BG): Asin (B), the difference: being: that if an. F-leaf is. f 


encountered the symbol F is not added to the set hie 


Note that hee: if at least one non-F leaf is ‘cians ‘neither can the truth of 100 
in ed et eee ee ee ee us 
in the procedure preceme F ‘as its-resuk. | 


We remark here that the ‘elit sae prgenged ‘aes by ine means 2 a complete, Ast, 5. 
. Qne can think of other methods, such as “left-first search", in which the left branch is 
always tried firm. We feel,-hawever, that the four. wwe described cepeesent the reasonable. 
“fair mnatheotts in which no. soe group of deaves, indenenipelte Saveorrer aver., Sere 


We summarize the eesits that were made after deat method was described as 
follows, where the entry 0 fer a certain method under divergence (resp. failure) means . 
that even under the assumption Jk<a>true, the fags thes aleeps Seep. Si fall). opts » 
can result in the procedure intes to once a final state hake as its result: 
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. We now take a close look at the sought notion of total correctness. ° We wouki like 
to define @ to be totally correct with respect { an: irepot't fdition’ ® and: ah output © 
condition Q if; Intuitively, stenting execution’ Of ar in'a stme in whieh’ R: is true will 
undoubtly result in that execution terminating nv a’sate in which O:i2'trie: “Assume that 
J is a state such that JFR holds. For « to be totally correct with respect to R and Q 
there certaifly mast exist: h eithdiheastdel Amstag hls we Tequied thik IPCad true 
holds. Furthermore, all iach. Wats, ar ‘s ee Neen OF hy Ot of the four” 
procedures described above. Thus we seein, in ‘sdedttion that evé?y ‘Sate witli Which such 
a leaf is labeled should satisfy Q; in other words we peed JhaIQ to hold. It is now 
quite evident’ that in order for a ‘traveréél; Uting one of the four triethods, to be” 
guaranteed. to teriitiate with # final: stave ab theres: wit have t6 Tequire-that e,d) 
be free of divergences or fiihires: Wai tay Sapte it Se 
for that method ie the afovetable © © sue 


We- thus arrive at the folowing 
Definition: bee a universe ad a aici wih 2 and formulae a wd Q, we Say that ais 


D-totally ci correct. wrt Rand Q. ie hy &. hhadiraid, tan Jah A fal) 


DT totally correct wrt Rand Q iff hy (R > (<endenne: 0 Laan weep, »),. 
B-totally correct wrt Rand Q iff Fy (R > (<a>erae A LelQn - fatt,)), 
ee yeh tedneraan ta ey ia oD) 


in the next section we: use this defini order to defirie the cslhcogn: of the 
weakest. précovidition of # programa Y respect te an assertion, and to clarify Dijkstra’s 
C13) notien of Smet): 


‘Spe 


5.4 w cakert Presenifitiens.. 


The notion of the \ weakest ‘ereccndicion of a program @ with respect to a post 
condition Q was introduced by Dijkstra [13] wiles: serote, Cie: HAD: 


(*) “We shall use the notation wple,Q) to ddnote the weakest hs for 
the initial state of the system such that activation of aus gu udrangeed to lead 
to a properly terminating activity = system in 2 firial peate satisfying 
the post condition Q." 


Here "weakest" is in the sense that wple,Q) | is to be the largest set of states each of 


which has the Property. that “activation fe a” * starting ‘from thay state “Is guaranteed to 
lead to .... , etc.”, 


Other than (*), there. is no formal definition of wp( Q) either in 013) or rin (141 
However, C14] contains esveritally: four properties that a8 oust satiety” oS 
PL. F (wplafatse) E false), 


P2. if F(P>Q) then. F (wpla,P ) > we,Q)), 

P3. .  (wpler,PAQ) © (op e,P)'n we, 

P4. (continuity): for any arithmetical universe A, if acter aro) 
then F,(wple,dnP(nbd Ca Ma MEN), vhere nf wera)... 


Our plan is to precisely define the notion of ptdsQ)" ts belo ‘bebehiaeht upon the four , 
execution methods of Section 5:3, and then to ‘tigate bar | Which of the four fesuking ee 
satisfy P1-P4, We will show that those co! 16 HANEY DF sind {T's However, an 
the next section we introduce Dijkstra's guarded commands (CG) programming language and 
show that, restricting ourselves to progtaris tri Whit Mgunge, the’ tinty'riction’ ‘of wp which” 

is consistent with the way in which CC is efireak Fv C195 be tHe Sb ¥g to’ riiethod’ 
D, i.e. depth search with no backtracking. Thus, akhough there are four independent 
notions of the Weikest' pri ou ot 2’ program ONE piirticdty ‘Wotion’ of wpla.Q) that 
Dijkstra had ‘tn’ mind in‘€194 and C1@41 presuppodid the uik'of Wietilod D. hernmemrgaioaai 
by de Bakker'T3), Proekin (devctited: EST ah a8 pty tae) tas? 
also indicated that one has to outlaw Both infinite computdetenscand tired -alteye: 

(failures) in order to capture Dijkstra’s notion of sae 


eee 


Definition: Given.a universe U, a program aeRC snd a formata Q,. the weakest preendtin 
al a oT ts tetine tor vithots Bj OF De Me sable s ‘we feltowas 


~ 
fea “y ; 


: wppla,J)- cn a atewing A taQ A Neabygid els 
Whppla,d) =. ~ Kaptrne- ee is ae 
wppla,Jy = {etre ALAAQA © lg ea 
wpgg(ad) = (came ATAIQ’ 3 


Certainly, by definition, Sree Nalanveeelds aati nging.ov D, DT, B and a 
program @ is X-totally, correst.wrt RinadQ iff bef B2w (OOD)... Scie 
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Note that all of our four wp's satisfy the informal description (*) in, which the word 
“activation” is now interpreted as “activation using execution ‘method X*. In other words, - 
we claim that 


it is indeed the case that using method xX, wal) | is the weakest 
precondition which guarantees that execution: of « using method x wilt 
mirage sereeeeate Wes any sane dis Ne 


Let us see which of our w’'s satisfy Dipestra's properties PL-P4 
Lemma 5.4: P1-P3 hold for wpp,. oPpp whpand "Pag: oe 
Proof: Pi: Since for any X€{D,DT,B,BG}, Awpy(4,Q) >< S<e>true A CaIQ)), 


((<aderue 4 .La]Q) > <a>Q),. and (<ar/alse. false), oa eat, Pl can be seen 
to follow. We omit the straightiorward, proofs of P2 aed. P3.. .. fi 


Lemma 5.5: Tha et an stl anne eam aC and orm PC), 
such that P4 does not hold for whan or wpp. ee : 


Proof: Take A to be the universe of pure aridumeic My and PCa). fo be. nex. 
Certainly for any n, we have. Fy (nex. > (nel)z x) "Tae abo be. Gxe0;(xexel)*). . 
One can then check. that. Ka <ederue. and: tet tah ett eniiemnna 
However F gdnieHnax): dees: snot. 2 


Theorem 5.6: P4 holds for a8) and “oT 


“Proof: Assume F Avot} P(n) aP(nel)). Became af verte, Kis lenpediate that 
(In( wpp(a,P(n))) = (<a>true A a fet, A IntelP(n))) is A-valid. Also, it is 
trivial to show that for the same veaton, so:is (IntadP(n): > bekinP(n)). Assume now:that 
JFLaTinP(n) holds. We shew that JkialalP (als: ders sox «By Jh-loop halding, we know 
that ct(a,J) is finite. Consider the set Ja 2 (9 Ja§}. By. virwe of jrotalanPtn) - 
holding, there is an integer i(J) associated with anal) J¢(,Je), sech that for any_n, gFP(n) 
whenever ngei($). Since Je: is finite (by Lemma 5.2 together with the fact that ct(a,J) 
is a finite tree), taking: man ge: ‘gayh) and observing that fer any: “e we have 
gF(P(n)>P(m)) where a -werebrichade tliat Sata tataaa! al 
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For wept it suffices to observe that under the c nf var(@). we have that 
(In(wppy7_(a,P(n))) = (<e>true A Woop, A SntesP(n))) is A-valid. The proof then 


proceeds oat as above. i Bio cen 


Thus, se cieimieies as follows: 


and conclude. that £ the properties P1-P4 do. not, give. rise.to, a unique notion of wp; there. a 
are at least two equaily plausible definitions which salisfy these ties: We remark Py 
that [13] incladed only P1-P3, and these are satisfidd by all the Four. wp's, Hence P4, 
which was added in (14), can ‘be seen to be equivatent t to D requiririg | that the ‘program is: 
‘divergence-free.° Wand: teed has! extentially showit chat ‘idehing Weaker than *PpT 


- satisfies P1-P4. 


Perey so 
se tk 


5.6 The Guarded pommnnde Language (ao). 


In this section we code our anatyits oF tte ration of Weakest’ preconditions by 
restricting ourselves, as did Dijkstra in (13), to a sublehgaage Lied language RC of © 
regular expressions over assighinents and and ‘tedti haliely to tite language of guarded commands 
(GC). We show that only one of the four. notions of wp, namely wpp, | is consistent with 
the manner in which CC was alleged to have been defined in C31. Sinice hp! satisfies Pi-P4 
of (141 too, we conclude that Dijkstra had been presupposing tat method D was to be used in 
executing the programs in GC. 


We define GC as a subset of RC with the same Ne Bejratcs, as Follows: 


(1) An assignment x¢e is a meeraiean GE. 
(2) For any «6666 and fitst-order tests P? and R 
a;8, 
(P?;a u R?;8), and 
((PVR)?;(P?;@ u R?;8))*;(4P A 9K)? are in GC. 


Throughout, we abbreviate the last crete in Ag: shove, to a Pr oe R?;8). 


One can see that in GC tests do not appear as programs in their own right but 
only as guards preceding “real” statements. Thus, in the alternative construct (Pa u 
R?;8) (written IF Poa || R-@ FI in €13)), either @ or # is. exeeumidbGepending:on. whether it 
is P or R which is true. If both are, then one of @ and 8 is chosen nondeterministically, — 
and if neither is then. the statement fate. Thus this eunstruct ds-a:nendeternpisistic 
generalization of if P then @ else B. Stmttarty, tor epapant anatestr tty a» R?;8) 
(written DO Pe || Ro# OD in £13)} generalizes while P do @. 


In C13] the language defined is seemingly somewhat less restrictive. For example, 
(P,?;a, U Wu P P3er,) ts-aftowed for any'neO. However, PT3a;"Ror afl our purposes, 


is equivatent to (Phe ‘u Pfin), and (P,? ad Po ‘a oPy a; ‘to (Pi hiey u 
(P,? 309. U P,? 3@)). Also, ‘Dijastra’s ship and abort’ statements can be written as 
(true? ;xex U true?jxex) and (Folge? sxex, u false 585m) resnecttvely,;.thus, GC can be seen to 


_ be sufficient. (Remark: abort was described in (14) ‘al being | a staternent ‘that always 
fails, and so is written differently fram the statement. (true? jxex m true? xox) which | 
aay diverges and which we cail sii | 


In (13 and (143 the a sernantics of CC was defined using the (informally described) 
notion of wpl@,Q). We rephrase these. “definitions” a2 fogical equis : ‘that ; 
a candidate of ours for wep should, satiaty. them for any. arty amy ds eC, in any state. As we 
shall see, only one of our four ap's setisfies thera alt ‘Tie equivalences are: 


DL ; wpl skip, Q) #.Q, 
D2. wp abort,Q) = feise, 
D3. wp(xee,Q) = OS, | a Te 
D4. wp(a;8,Q) # wpe,up8,0)), a 
DS. pl (PP; u.R756),0) = (CPR) 9 (RamgaQD A (RwpB,)), 
D6. wp (P?5@ » R738),Q) = vio.) 
where: “a (4P.A “BRA Q)y 
and Way ? (iy ¥ wp PI ew ATT) 
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Lemma 5.7; Di, D2 and R83, hold for bp» Piyps Whp and whee: 


Proof: Di: For skip, defined above as (arue? axe, v fruedixen), we. certainly have of 
F< ship>true, and simitarly, for any Je one 5a, see thee ee ship, A) J ib free of failures af 
and is finite. Also, Cstip]Q z Cerue? jxex}Q s bee: . A ® @ Thus D1. ‘follows. 


D2: <abort>true = (<false? ;xex>true V iy ae ea z (false / A eerasene) z x false, 3 
~ and thus since for any X€{D;DI;B,BG) we have waxfe Rl. >, sKeraeraey, weobtein D2. - 
D3: Since we have FU <xeederue A 00 A. oo we cance that | 

-for- any, x as above; mx xe,Q). ® TxeedQ "ooh 

Theorem 5.8: Fetieack of Pps: my and hae me ee Be f c : 


D4 is not valid: 


Proof: Take a@ to be egal U true?;x¢2} and Q to be true. 


_ DT: Take B to be (x21? ;xex uU rel xex). The | left hand side of D4 fer this cane.is ba 
(<r 6> true A ~loope g A Ca ;Bltrue). All three con juncts certainly ped in 
any state JEN. Howsmapy the right:hand-side is (he>iuen Veep. A, 
Cak<A>erue n Lalloopg A CaN Blerue), and Lak A>erue dca inte iniany 
state JEN, since for any such J, we have (J 2 / xi deen ah ae wile cecaiice 


B: Take B to be (x=1?;xex'« x21? ;xex), ‘Stay tothe’ privtous tusé‘one'can see 
that F,;wpp(a;8,Q), but Cak<f>true is not satisfied by any’ sate FEN since 
CI, /xIJ)€m(a) holds, but CL / x1J¥ <B>true. 


BC: Take 6 to be any one of the above two. The rest of the Feasoning is similar, ot. : 
In order to show that Dé holds for Wh we need the following:. 

Lemma 5.9: For any a,BECC, (fail, .g * (fally V <erfetig))- 

ates lemma should be contrasted with Lemma 5,3(2:3) and the remark stelle 
‘its proof. 


Proof: ne ie 5302 »3) at ‘hand and hoting that CC %'RC, ‘all we have teft to prove 
is F(<arfailg > fe ail, .g) for #,BRCC, ‘lndeed, ‘thie only Way’ there can ‘be a failure in 
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ct(B 2 for some 9€( Ja), suit Ai et faite duipplancon shee: is. in the case 
where ct(a,J) has a leaf (t,J), the ancestor of which has another descendant which is not 
a leaf, arid furthetmore ci(6,$) 1s simply fby,FEE Hetiever, b chan 3 

no programs BEC for whet BST is neleton: Vet 


Theorem 5.10: For any a CC, Dé hos for “hy 


A Woop, . a 
“fail, :p)) and similarly w (a,mpp)(8,Q)) 5. (<ederue A “oth A nfaily A (ak p>true 

A Lad-loop, A lakfailg: ‘A THRBIO).” BY Lemena S301,2) dhe Sirection is seen to follow 
immediately. Assume now that Stu pp (aif): ang Leénten$3and Lemna $9 for deating 
with the clauses involving loop and fatl, we t have onty to show that Jha A>trwe holds. 

This follows from’ Irfa}- ad ce 


“Proof ‘Bejing gts spy te or tee paeeu a ‘ 


We now consider ‘DS: 


Lemma 5.11: For each of wPpT, why ™ and a wags t there exists a program (Phi uv 8) | 
in CG:sach that DS fs not valid, : 6 
Proof: Take P, R wd Qro be as sd «rote hepagran aR 

DT: Take:@ tosteiabort.< 9 6 si re, Sesitnees With eee 
Be... » Fake fo, be duet ge, REAP Mo beb we 2G fie gD PE CTE ESE BIE 
BC: Take Ato be elther of the abore. nasi 

In each. case petites ehh watid,: but, the right pares is not even. 

satisfiable. We omit fhe: details... (is 


ee BR mage ae oF ee in 
_ Lemma 5. 2: For any « BEC, DS holds for ah 

Proof Straightforward using Lemma §.3(4) and atk $9, aes bod 
We now consider D6: 


Theorem 5.13: For each of whyrs opp and oe! Uhere'exist a rogram (Phe: * R36) 
in CC such that. D6 is not valid. . _ 


. . Proof: Here tao, there isa genera), nwa pend We present 
them for gach ase but cont ie fede, bet traightforwagd, ¢ aplls involved in. proving. 
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the claim. In each case, however, one can show that in any state JEN such that x ¢ 9°, | the — 
left Ehang side of DS. is true but: the right hard. side. is.not.. In, fac, the. clause. CP?50 U pie et 


manually to be false in J. 


Define Q to be true. Taking ¥ ‘to be the | program abort for the DT date, diserge ‘ 
for the B case, and either of these for ctl ‘Be Cate; we Bdtwie ott program (Piya « R?:8)> 
tobe — ((x=0?;x«x+3) » (22x?; xex+l; i( (nel? sxexel)  (xv6i?37)))). - . oo 


Theorem 5.14: For any a,B€GC, D6 holds fer “PD 


Proof: For simplicity, denote by # the progran¥ (Pte u Rt6), and by “w the program — 
(P?;@ « R?7;8). We note that for every J such that Jkupy( (*9,Q) | holds, Ie~lcopy ae). 
holds, and thus the tree ct(*w,J) is.finite. Note that under the: same assumption, each, 
leaf of ct(*#,J) is labeled with a state J such that J#(-P A -R), and also JQ.’ We now 
show that for every J€I’ such that si ,Q), we have. am ys induction on la where 
k is the depth of the. tree.ct(*x,J). ee 


If k=0 then ct(*#,J) = {Q, F)}, and and Jk(+P A aR. A Q), so 0 that Thy. 
Assume that J is'a state such.that,k,.the depth: of 96a, d)y igrenter than:0, and. 
assume that Jtmppy(%9,)..Aseurse also that fer-any-state J,auch, that the depth. of. a 
ct(*9,J) ink’ and'k'<k, i Ship tt;S) fhidlday there have Gti". We show that: I, 
by’ showing that: SeOrIH, 1. This is:sufficient becuse since cl 8,0) tsifatlure-free< © 
and its depth ts not @, te'thust be the case that Weed: Lule cid Hy ‘Wyatt, and ‘Teloopy. 


Take any Je fa). ‘Certainty the depth ‘of Ae JY ts Wis:‘than kt: Also, one 
can show that from the fact that Jkmpy(*#,Q) holds, we can deduce that 


Jw pp)( 9 5*2,Q) holds too, and then using Lemma 5.12, that Fhwpp(**,Q) also holds. 
By the inductive hypothesis we obtain StH, for k'<k (here k’ is the depth of 

ct(*w,J)). However, it is easy to establish that for any i, e(H, > Hi) so 

that we also have JFH, _). Hence Irie IH, ‘This completes one direction of the lemma. 


Conversely, Assume JEH, for some k. Without loss of generality we can assume 
that J¥ H+ for all k'<k. If k=0 then trivially Jb(-~P A -R A Q), and hence 
JEwpp(*x,J). Assume that k>0, and that for any state J such that min,( JH,) is - 
defined and is smaller than k, we have Jupp (*w,Q). Certainly by tH, and k>0 we 
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have JV (-P A-RA Q), so that Je <m>true A xfail, A “loop, A 

CrJH, _1)- Since Jew >true, we can denote by Ja State in In. We know that 
J¥EwTH, _;, arid so, SPH, a Therefore, by the inductive hypothesis we conclude 

that JEwp,)(** © ,Q), or that $E(<*e>erwe A allay y A Wop ty) A A - 

C*w1Q). Now, since $¢( Jw) and §e<*s>true, we have J<*wdrrue. Similarly we can 
establish JFE*#}Q from JktwJH, _, which implies that Pr holds for any 9¢( Ix). 
Also, Te-fail( xy) and Ihvtoopy ayy follow for sienilar reason, ... — 


Thus to summarize, we have the following table, where a I indicates validity for 
all programs in GC: . 


We remark that relaxing our restrictions on programs and’ considering general 
programs in RC, D4-D6 do not hold in rae hie even for »PD: 


We iid celsius div sala cease Ngee was ic tee 
intuition Dijkstra’ displayed when. He designed OC. inv E143 as a nondeterministic. programming 
language: suitable for “total+perrectness-ortented” reasoning. Atheugh thete is to 
a priori reason for prefering execution methed D, to any. of the others, we have shown that... 
adopting this method in-con junction. with the sublariguage CG, resutts in D1-D6 holding, a 
fact which nicely gives rise to what Dijkstra calls a “catcutas” for computing the weakest 
Precondition of ‘a pregram, and hence fer determining yehether.».program is totally. correct. 


eh 
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6. The pre thematics of Diverging. pnd Failing I 


In this chapter we concentrate on some of the mathematical ‘properties of the two | 
concepts of diverging and failing’ introduced in Chapter 3." “Mbit of the chapter, however, 
will be concerned with loop,. In particular we emphasize | the problems, of expressing this 


concept in.DL and providing a suitable arithmetical axiomatizition of it 


In Section 6.1 we consider the question’ of obtaining saymiactic exutvatent, in DL, 
of loop, and fail, for the class of pregtams RC. Jw*particutay,. v6.1.1; we show how a 
recent theorem of Winkimann [71] serves as the central part.in a proof that such an — 
equivalent exists for loop “We'then show, in 61.2, thilt an ‘equivalent @xists for 
fail, too. Thus, as far as expressive power is congerned, loop, and fail, add nothing. 
In Section 6.2 we introduce, an extension. of Di, DL, ip which, ‘there isa specially, 2 
designated primitive for loop... A, natural and concle arit merical axlomatization, Pp, "9 be 
of DL* is given in Section 6.2.2. . Sect Section 6.3. is devo siting the remarkable 
similarity in form: between the rules fora a PntPe “fis obter vation tan be seen to 
supply a framework to aid when constructing such gens in generdt’ The = 
framework also supplies a broad perspective for understanding, say, the invariant 
assertion method of Fidy@ 27) and dare P27) ab wgital tase’ Gf arittitetical | 
axiomatizations. Section 6.4 contains an application of these ideas in the form of an 
arithmetically-complete-ali lorratteatiOn @F tinethérekteniton oF DL “which berrews the Me: 
operator of “Salwicks £593: «In this exeension CADE) the: mechanism imeroduced'for = 
expressing Joop;, is not quite ze direct amttiat ‘efvaugmenting DL with lenp,, itself. Aas 
is essentiatly-done im DL*), but SciminerTeS whattot — nothing but. rae 
relying on the equivatent.DL-wft.of Section 6.11... OF iy 


6.1 ‘Diets aha Pepin Kpe.” hee 


It might seem at first that a simple inductive characterization of loop, and 
fail, is possible, along the lines, say, of Lemma Satie ‘There. we show that loopa.g 
is equivalent to (loop, V <a>loopg). In other words, that being able to determine - 
whether a;36: contains: eee e bolts incsiletiaa eaataheiaran shether & and 6 


Eo he 
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do, given in addition the tools of DL. This task, however, is not quite as simple as it 
seems. In Sections 6.1.1 and 6.1.2 we focus, respectively, on loop, and fail... 


6.1.1 Expressing loop, in DL. 
Lemma 6.1: For every 2,,BERC, assignment xte and-test PY, the following are valid: | 


(1) loop... 2 false, 

(2) loopp, * false, 

(3) lop ag bd (Looby v loopy) 
(4) loopasg * (loapy v <adlerpg). 


Proof: (4) ts Lemma 53(1). The others follow from the definition of ct(a,J). a 


in order to be abte to talk about #* we allow ourselves, in this chapter, the ~ 
freedom of writing, say, JeVa<a">P instead of “for sin, JF<a™>P holds". (Recall 
that a” is true? and atl is ai@ my We also write "hy ne 
“there. exist infinitely many n's uaivaimidcnstal 
that <a">P thotds of artoerpeil large:n. 


Theorem 6.2: For every «ic, Hite ‘ (<a hy v 1 ¥acal ime). 


(Remark: Indine with the above coneenmion preapronctn ner aide “In-any state J, 
JFltoop.« hokis éff either Jhca*>icap, ‘hokds of for: every: n: we have. Sha >true.”) 
Proof: As temarked in Chapter 5, by Keenig's:berama for any 6, Shieepy hotds iff 
there is an infinite path in ctl#,3). “Now amume Jieopie. By the construction of 
pet(a*,J) as pet( (true? U.ecse*),J) it x quite evident that 1f- Je wep, ‘tekts for 
every J€J(a*) (ie. if JHla*] loop, holds), then an infinite path (J J4Jq, ~) 


in pet(a™,J) must be an infinite @-path, Jey there musit.be a.subsequence of s'in which ng 


every two adjacent states are related via m{@). ce by St Fq51, ~) 
where J,=J and for every n20 we have (Sorbent Perens 


(3,4, demlea"), ‘and hence. Brea? >i. 


Conversely, we first note that it is easy ee + si > oopae). 
Assume now that JEVn<a™>true. By the construction of pet(a*,J) this impties that 
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petla*, J). (and..hence. also fer) has Jeaves. at ; 
implies. that ct(a®,J ) is infinite, _ 


caer mich Py Fee. ies 


SARL lereg 


Thus, a divergence in a® is due either to a divergence ‘tn @ itself ‘after execution © 
of some number of a's (local Bo or to being able to run a's repeatedly for'ever® 
( global diverging). 


- It is immediate then, that the only obstacle +0 cg saighiforward 
translation of loop, into a DL-wf © is the fact that Vinee" Sirs i'l ne not a ‘Dow, 
However, we have the following recently established fact: a 


Theorem 6.3 (Winkimann C713): For every @€RC and: L-wff P there exists a DL-wif Q. aoe 
such that Qs: Rap). ~, 


The (constructive) progt involyes a. very subtle argument b based on the structure of the set : 


J(a*) for, some fixed. state_J,.making 3 fe nction ‘betwee ing: infinite d due to” me 
some repetition of .a state (ie gome, $e ; n that ¥ gh barninigiad 


but repetition (eee. Thun, by. poring: that Yas cme nani 3 nce” trae, We . 


Corollary 6.4: For RC, lobe is expressible in DL; Le. for every atc there exists 
a DL-wit P, can that. i ia 


It is easy to coneralize the definition of ia,d ) to cover - the programming 
languages “array-RC™ and “rich-test-RC” which are.the sets of programs allowed in array-DL 
(Section 2.3.1) and rich-test-DL (Section 2.3.3) respectively. These trees are also of 
finite outdegree and for them too we can define bite to be'true iff etla, J) is 
infinite. We then have 


Theorem 6.5 (Meyer (43}): For every atarray-RC aiid L-wif P: there exists an 
_ array-D),-wit.Q such, thet, Qs Y i<a™>P). 


Theorem 6.6 (Winklmann (103): For every atrich tei KO and-L-wif P there exists'a. 7 
_ Tel-test-DL-w0f Q.such that (Q aT he@l2P). 


Corollary 6.7: For array-RC (resp. rich-test-RC), eee? expreible in 


34 


One can define ctla, J) for randort-DL (Section 2.3.2), a definition which results in trees - 
of infinite outdegree, and then define Thicep,, to held uff cela; 39 hasan ‘infinite path: 
Parikh [50] has been able to show that for randem-RC, | loop, is not expressible in 
random-DL. an i | 


_ Recently Pratt [54] has shown how a plausible definition of loop for PDL, when the. 
. atomic programs in. AP (seg Chapter 1) are assigned bt . t by the semantics and 
not some sort of computation trees, Eve rant te grin of preving that ie, 
is not near in PDL. 


a er 2 
eres £4 


6.1.2 Expressing fal, in DL. 


We now turn to fail. Here too DL is powerful enough to express fail, ‘for any 
aéRG, In this case, bauer we will need. to carry out a very earefat ‘uttatysis of the . 
cases in which a failure node in pela, J) is het ‘Gidhiied wien canitracting ‘ette,d). ‘The? 
complication | arises.in the case’ of composition (ie. owhed 'eelaO 2) his a 'fatture bor” 
ct(ae, J) Goes not). We wilt see Tater tliat for the (stihl toetiehainds: lahguage OC (Section 
5.5) this complication vanishes, and in this Giné’the cueredtion of the Daf: R, 
such that. FUR "fail ) holds is quite srangheforwary. 


Consider now the general set of regular pigieeii," ‘Wenn define inductively — 
the construct onenodeyy such that Sronenodeg holds iff ered) 3 is a Shesecaes 


onenode, ® false, 
onenodepy = true, - 
onenodegusg z false, 
onenode, p * (onenode, A (onenadeg v fll) 
onenodege E false. | 


Now abbreviate (fat, A ~onenode, eh —— a ane falas of «), and 
(fail, A onenode @) % sfally (onmogiat failure). ae 


Lemma 6.8: For every «,B<KC, assignment x+é and test! Pr, the following are valid: 


(aang * 
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(3) falls © ((faily A faitgh wdfett,, wap us 
(4). ‘Gale caddie oft pis Ries ) 
(5) oth ge = Cee nfl: tio 8 


Proof: We omit the straightforward but rather tedious proofs. cf: 
a a SMa : % ae 
We would like to construct a Di-wi other «8 such that 
fail. iB = (fall, v v cerfiig V other rap) 
i is SREY ad, 3 
will be valid. In other words, we would like other, ap! ‘to ne the: cases which 
fail, and <a>failg do not; i.e. the cases in which | there is a failyre ode in ct(a;8,J) 
which does not appear in (@,J), and_that ferthermare that failure is the result oa ie 


being the one-node failure tree in some state $a (iz. Tifailg). 
There-are precisely three. cases in which. this- ston might ont 


(1) ctha,J) = {(A,3)} . and-a(6,3): 40,F}, sees 
€2) in ctexyJ), there isa node pap rrr: ba oni one descendant, 
Se. a leaf labeled $, suchithat 6,9) = {(a,F)). 
(3) in. petle,J)}. there ts a nodd labeled J which: bas two descendants 
“of which: Serres yer War preGh a copa : 
ct 8,3) = Tinh: ie. eye eens 


ates Ride ae es eS 
pee Se) ee eee en 


which occurs hier’ ais cotnpoesdl deh i, 
by either fail, or <afaily.)) 
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For any @,6€RG, we now supply: an inductive construction of the-three constructs ai a, 
32, g and 33 0,8? corresponding remrgey seg ttP/ (00, abowe. (The icone 
theorem can then besten to Fliow from thi caper : ; 


Theorem 6.9: For etery @,BeRG 
PC fail, .g * Ul Cry Vlg g V wbV Bap) 
: ihe, ay S 


Turning to the construction, we note that 1 ap! ‘is stem (onendeg A \ iil A etl). 


We define 3g and 32, g by incon on flows: 


1 7 a Pa, 
ae “aay gw - ant 
| | Mmnalag Retna A ifailg A 
ieee a eerie oF, “e Raat V4fett yo) 
aja" | — Berte 736) Vag os ee or he wipy Ve O33," g 
ax cay, r “3 j : epg ifallp) V <a™33y g 
Note now that the right hand sided ‘the eiphivalonee in" Thredeern 6.9 is defined 
using DL-wffs and serene te 5, and fatty onty. (Consequentty, Larnme: 6.8 and 
Theorem 69° epty: — agai . 


Corollary 6.10: For RG fll exprentole mn DL; be fore every @€RG there exists a 
DL-wif Ry ‘ich tae PCR, * fail). 


We remark that for the guarded commande langage CC,. we have bifatl,, for 


every a€GC. Consequently, it is easy. to see that for. apy ay RtGC we have 
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so that we obtain: Lemma 5.9 again, this time as a coroltary of Theorem 69. 


6.2 DL Augmented are loop, 4 - 


In this section we introduce an extension of DL, DL*, which consists essentially . 
of adding the loopy construct as a primitive to DL. The } virtues of of this augmentation 
are in the ability to reason about divergences directly ‘without having to go through the 
translation of loop, into its equivalent DL-wft (Theggem 6.3. and Coroliary-6,4).; We 
remark that the DL-wff Q of Theorem 6.3, and hence P, of Corollary 6.4 have the 
unpleasant property of being strongly dependent on: the steveture. pf @.and.on the variables 
appearing in @, so that P.. cannot be obtained from PF, ‘by substituting a’ for a 
throughout. Canscauenty: proving 2-ferriula with‘an Appearance of top. will inevitably 
involve carrying out the transformation: of loop, toP., and thes: reasoning | in DL. The 
point is that the intuition one might. have about loop. is, in. a strong sense, lost in the . 
process. On the other hand, the either thosttolanae patient a aa —— 
in Section 6.2.2 is natural and intuitiv ae 


@.2.1 Definitions. 


The sets of symbols of ‘DL*, the sets of terms and atomic formedtae and the set RC 
of regular programs, are all as in DL (Section 2). The set of'DL* “ts is defined as follows: 


(1) Any atomic formuta is a'DL*-wif, 
(2) For any DL*-wffs P and Q, a i RC and vided xX, 
oP, (PVvQ), axP, oP and <ap'P are DL-wifs, 


Abbreviations are adopted ‘as in DL, and in addition we abbreviate aroP to Cal’P, 
reading “diamond-plus-@ P" and “box-plus-a P" respect? 


For the definition of the semantics of DL we atlopt the concept of state and 
universe from Section 2.1, bat‘now we think ‘of the semantics ‘ai istighing to 
@ the set of computation trees {ct(a,J)| J<I'[} (see Section.5.2). However, by 


Pa MRIS co 
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virtue of Theorem 5.2 we can ‘continue to refer to m(a} defined now as {(3,9)| J tabets a 
leaf of ct(a, }, while remaining consistent with ma) of Chapter 2. 


The definition of the set of states satisfying a DL*-wff P is, for atomic formulae 
and for the clauses ~P, (PvQ), 3xP and <a>P, taken from Sestion 2.1. For <a>*P we define 


JF<a>*P iff either IearP hols of ca,3) is infinite. 

In other words, J¥<a>*?P holds iff IM <a? v Looby ) does One can then verify that 
| ‘Ihtel’P iff both ssl hots —_ ata,D) is finite. 
From these we obtain our Dut versions: Of (00h set sep 


Stoop, =. iff —— 
— Seveep, iff hayeninnca 


With this definition one can see 2 that Coroitary 64 ase cata that DL a DL’ - 
are equivalent in expressive power, thus aleifying eur conjecture said £28. 


We refer the reader to. Appendix D in which we exhibit a Program with a somewhat 
nontrivial behavior, the interesting properties of whict can “ae xp in DL*. 


Before. proceeding with the axiomatization of DL! we would like to exhibit an 
alternative, but equivalent, definition of the semantics oF: DL, which justifies the 
*-notation in a rather interesting way, in view of the addition, as in £1] and’TS6], of an 
“undefined state" to the grand universe PF’, pen Hiatt newroen the one 
taken in our original definition of DL*, in C25). . 


Define by I'* the set Tuts} where 1 (read "bottom") , the divergence state, is a 
“state” in which, by definition, every DL-wif. is false; ties; i APP} =.4. Note then, 
that LV P and LV -P both hold, so that 2kP and SP are not the same, 


Now tet m*(@) = (m(a) u (CJ, 1) dor}: and ( solely for the sake of | 


Sead 


this definition) fet iad stand for Ufea"ta), ot wn now. aia 
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dk<aP iff 39f Jag A GtP) 
‘then CaJP defined as *<a>-P should, read 
IhtalP if ¥§(Jag > a | 
rather than with grep on the right. ‘On the other hand ¢ ane can see that V4( Jag > > grP) 


asserts that JklalP and that furthermore (J, if m*() (ocherwise we wouk have had 
Jat and 1¥P). And V§(Sa$'> ghPY heyerrhers as tare above. “Thiss we can define 


JFlal*P iff V§(Jag > grP), 
jJealp iff V$(Jaf > J¥-P), 
Jk<a>P iff 39( Jag a gFP), 
jk<a>*P iff’: AGERE BSP,” 


However, in the sequel we abolish the artificial state L and treat <ar*P as the 
abbreviation of (<@>P v teobg) which ween ehove « a s*., 


6.2.2 Axiomatization of DL" ‘ 


Let us first gather sapeet the props of ca? mttetion most of which have 
been proved Previously for Loop: 


Lemma 6.11: fore every'@,BERE, assignment seein ett aie! PB and R, the 
following are valid “erty 


Cl) CaP © (LeIP a: partly 
(2) <a>*P & (<a>P v <ar*false 

(3) Cx+EJ*erue, 

(4) CQ?" true, 

(5) 5 Ca ;61°P 2 CadterP, 

(6) <a;6>*P = <a>*<cp>*P, 

(7) CaugP = (Cal*P A CAI'P), 

(8) <auf>*P = (<a>*Pv <A>*P), 
(9) Cad*(PAR) = (fal*P ACa}R), 
(10) <a>*( PVR) = (<a>*P v <e>R). 
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Proof: We prove (5). Ca;61'P is, by definition, {ta;e3P A CasBY true) or 
(CaN AIP a Ca;83*true). However, since by Leroma 5.3(1) we have Le sBT"true a 
(Cal*terue A fa KB]*rrue), we conclude that fa:AP°P" RY erat K TAKUPIP 5 . 
CAl*true)) = (Cad*true a taXAy'P) * fa T8T'P. Marat the proots. of other. parts. a 


“Note jhow the choice of <a>*P shar reget and obey 
on He gba tka pep sie 


an mi concise characterization a mon 


Theorem 6.12: For every @eRC, . 


(1) B(<e*>* false decir. 
a h(a trae ® ante), 


" Proof: By Theorem 62. CaP" false ssalioaias Kat>een' pate v. Apca rae) . . 
which can be seen to be equivalent to ancy vo Wace ere) or 


(Inloop nv See oeneh ct 


Claim: ( Intoep n > Va(leopgn v ca" verat)). 
Proof: Assume S¥S# a ‘Lag eT ep ny. ‘Surely then, 
for every n<ng we have Jha" derue, sar oligos Big n would have _ 


to hold for sdine:sedtn..: ‘Also, fon-amy ming aaseave Sieh, wd 
thus the claim is proved. : 


With this claim established it is easy to see that (Gntoopgn y Vata" >irne) és equivatent to 
Val loop, nv a" >erue) of Yaa" >*erue. a) ‘follows from nt) by definition of (a*}*. 8 


Now tet A be any arithmetical universe, and consider.the axiom sytem p* for DL’, 
sete AF Sern oe ce PO SO or . 
Axioms: Pre ., 

(O) Cal*P = (LeaIP nA Cal*true), 

(P) CxeE}* true, 

(Q) CQ7I*true, 

(R) Ca;fi*true © Colt 6Terue, 

(S) CouPI*erue = (Lead*true a (BT*true), 
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Inference rules: 


(T) P(nel) Cal*P(n) , -P(0) 
for an L-wff . with free ny | 


P(n)ofe*)erue st nf verte), 


(U)  P><a>*P 


P><a*>* false 


-Provability. in pt is as defined in ene 3.2. Here 100. we ‘first, qstabiish the soundness 
of ie by showing the soundness of rules (T). and (U):,. 


Lemme 6. 13: For any L-wff P(n) and @€RG, where nf wrle), : 
if Fy(P(n+l) > Cal*P(n)): ‘and FPO), then. 4 P(n) > Ca*Yerue).. 


Proof: Assume the two hypotheses, and also, assume that JeP(n) holds. “Without causing 
confusion we can denote nq by n. We have to show that tla®, J) is finite. Te is easy to 


see that a chain Jo; Jys Jo, ~~ such that Io4 and Vild oJ pa ). is impossible, 
for by the first hypothesis it would imply J nh P(9), contradieting the second. Similarly, 


by the first assumption, for any $¢Jfa*}: we ktione that 2t(eus$i)-ts Tinite, and: hehce by 
Theorem 6.2 there is no way for a* to diverge. E 


Lemma 6. 14: For any universe U, DL*-wff P and. acRC, if Ky(P><ar*P) 
then F))(P><a™>*fatse}. 


Proof: Assume F(P><a>"P), and JFP. If IFK<a*> loop, holds, then by Theorem 6.2 
so does JEloop.«, or JE<a*>*false. Assume then, that Iela* oop. We show 
that Wn<a™>rrue. Indeed, by Jy(P><e>"P) and FP we can show, by induction on n, 
that for all n we have Jk<a™>rrue. dan ee ae, 


As in P, we remark that rule (U) can be replaced. by: the'¢-valid) induction axiom scheme _ 
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Ca¥ Paar?) > ial A a 


which is derivable from P*, and from which (using parts of PY pyle | wy can be derived. 
Thus, from Theorem 36 ont Lemmas 6.11, 6.13 and 6.14 we obtale 


» Theorem 6.15 CA-soundness of P*): For any DL*-wer P, if Fp Suet ye. 
Here too we would like to. apply the Theorem of Completeness (Theorem 3.1) to 

’ cat tH es te TO PA Ovid thet seal Ui tagiely ridré generat 
"_verston of that’ theorem, tn wicth: mietie-tihcill Gate Memebibieeld MPP EMRE? He. BS We’ ornit the 
precise statement of such: a treorem, eaphnonleec hid sonrdysahadgh inant apiinitid 
of the proof of Theorem 31, pe er cet: 
and <a>*, relly it ot wl a obided : fingadge’ 

estab ligh ‘Toso 3 ant rad et a, we need basic io 


ide 6. Is: Lg Heigl tr mL 3Vy 2 mest GEE ok FBS fast g 4 pace oh thee er! 


Pelee oer oe et yimartaneas 10) Piet ce Rader es vitectiewye fred Sa 
Prosft % ivtscaerianieg teiaiig tan asteaascala aE Bos 
¥ ’ ory oe ERG et 4 ‘ 


We now have: 


furs Et etow gg k Gane Loo Pom ty ek E 


Lemma 6:17: The fottowing are derived: Ulta gt- Rt 5 1 
Ot ee GAD PQ. 


car? : > > a"Q 


hours Bae? 4 EB pee ges GEA Obie eg 
(Ty R23nP(n) , SAN ) >a Pin) re OE . Bede ose We he 
. --for-an. L-wff P with free n, 
Rarer ds emma y 


(U') R>P , P><e@>*P 


R><a*>* false . 
Proof: Trivial. : a 
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. We will now combine the two phases (treated separately. for DI. in Section. 32) of | x 
(a) showing how to A-validate the premises. of sv) aod Ww) when | their conclusions are - 
A-valid, and (b) showing box* - and diamond* '-completeness: 


Theorem 6.18 (Box* completeness Theorem): For. every. ecRC. and. L-wfts R and Q, 
if k,(RoLeal'Q) then Fps(Rota]*Q). 


Proof: Since F a(R>CelQ), prove R>LaJQ in P by. Th em. 35, t then_prove - 
_ R>Le]*true in P* as follows, and use axiom (O) to combine the results: The existence of 
a proof, in. P*, of Rale]*prug.is established. by.indugion.oo the, structure of @, with — 
the only. non-trivial.case being a®. For this case; if. ,(Rala®)‘trus). holds;. then. ay 
apply the: derived:rute (T’) with P(n)}: taken simply. asian atithenenical equivalent Pleo 
Ca" ]* false. By. Theorens 6.12 we have sari tric & SnPinphy and. 30: the soos: of 
(T') can be seen to hold. ” 4 


Theorem 6.19 (Diamond? ~completeness. Theosem)s: ie Be eed L-wifs R. and, 10, 
: if F a(tosar*Q) then ih niet 


Proof: As in the previous theorem... Here for Raca">"false the derived rule Ww). is. 
applied, taking P to be an arithmetical equivalent of Ga*>*false iuelf:” One. oom show. - 
that (loopy > (<adloeh.» V:loop,,))s which estaltishes the A-walidity.of 
the premise P><a@>*P:: (In fact, saailah react: for shis-caserc can. be replaced ye 
an equivatence.) 7 = 


As we remarked at the end of Section ee ee Theorem, here’ 
- too we can Satisfy the premises of (U') by a “strongest <>*-consequent” giving rise to. an. 
alternative proof of Theorem 6.19; take P to be an arithmetical equivalent of (<(a)*>R 


A <a*>*false). Trivialty if b (Ro<a*>*false) there (R>P); ‘and'-we leave tothe render’ 


to show the more subtle fact that F A(P><ar*Py Holds too. “lithe next section we 
concentrate on the rules for a*® in P and P*, and on the way in which we were able to 
A-validate their premises in order ta obtain the basic completeness results. 


‘We conclude: 


Theorem 6.20 (Arithmetical Soundness and — for DL“): For any DL*-wff P, 


A 


some of its properties expreied in bu 


one rule free-df sacomnnennss wf.1; i2:: ‘fnotxconiined |: 
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Proof: One direction is Theorem 6.15, and the ortier fotjews from Theorems 34, 6.16, 
6.18 and 6:19, and the derived rulé (9 in Lee (er Soe 


4 moose chy 


hegre erin as rn P* of 


Appendix De contains an example. of an sami 


TRS ae 


6.3 _A Pattern of Rehsoning. Idan aw 


We now exhibit x ratheh 0 pris f sittin ie ng whieh: the rules for: 
a* in P and-P* have been devideped, ad Whe gist Uiy play Wir brewing the arithmetical” 
completenessief these symene:’ : ‘Ge etl 200 qleat tania: ake Har comnnepis tercheat, £a0F3Q, 


 Ca*>Qp GaNS erue:amc Sad falee) tre ef whit abbeh univercth snd.swe of existential 
nature. For each, a “desliending” induction rule involving P(n) can-heiconstructed diectty 
from knowing eg. that La*IQ is Vale"Q and that CaS trne is reared ey 
‘Furttheritnsre; tite rufer- ane! satfictem wo 'make cm te 


complete because it 4s : te tints Pia} etch) 4 

each when its conclusion is A-vatid (ie. Pn) tte appropriate “weaken antecedent”). 

For the wo: *hetter bat” ices, ere ak ‘~ : f 

the descestiig ones’ These i at yuhanebbatinge tite; thteeiene the Pin) isa 
“strongest conseqient”, Kor (he tnees asptindopens ene eeseigeinel 


premises of this rele are i -vatidated by (what amenets $0). both the pe ees 


the strongest consequent. Finally, since the resulting ries are the derived rules (I'), 


(SAT) tonhili der nen mteenin neste as) baie saath cam t be 


y 


In. hee, for brevity ici weit toidenate Padi si sina Phe and P8 to 
denote P(0). .We present tse tc nm: our, ald analogously: 


9 ig AE at RE SS, - ep "3 oe enor: me prs? Pope vy 
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The concepts involved are: 


The concise arithmetical characterizations of these concepts are ‘J 


 Anla I false 


An ascending inductive. rule s sbinkaaiie ah. new: dre anetieuined L by. iaclohns P, 
having R imply QnP where.the. Equaniifier Qis determined by’ the arithinetical 


, Characterization, and having pe _traply.the. spe Sees 2 ee ee 
R>VnP_ , P'otalP ; » Pag ve Rode? Pacer. nat: ! 
Rovenei9 | a7 — s = Radned>Q 


R>3nP , P'otal'P , P°>salse my RoYnP , Poco"? , 1 Panne 


pele Ble _ : r “novnca ra 


The ppeinises of these rules are “A-validated (when the consequents are A’valid) by taking P to 
be peeve to - 


Aa false 


We could have stopped here; ttie\above rules are jound and “complete”, and will enable a 
completeness theorem to o go rect me elie rls ve robes ox sonrs above. 7 


PARE ge? wee 


106 


Since we have the duality principle (see (52]) &((R>08IQ) § (<BR > Q)), natural 
“ascending” rules, which are ‘constructed dually to theidescending ones are 


R>P° , ‘PotelP , , InP 3>'O 


be Bact, bab Saws 


Revace”> trae 


Recalling ma ali t$ Sad), she —- these rules can bbe seen to be A-validated by 


es ote a ee a a ae 
(¥nfe Uist nabhia daa or. (fa* IP > fala*3P)), giving the unified rules 


i “Rote * s¢ 
The pros off oe a Ava y bath 


 fa7IQ and. aOR 


PDfelae sak <a OKA Co*> "false 


Now the “arms and legs" ‘of these rules can be pruned,  putiag x, Biel. from having proved 
R>3nP, P°2Q and Ynt{P><e*P*), we can deduce R><e">Q using vatidities of first order 
logic (included as axioms in {A)). Thus we obtain the final rules 
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P'otal'p , =P? 


Pale*]*true 


The name piven to the ‘constructs used to we A—ramtierdesfireivin Tt the about Pin), which 
one needs to “invent” in order to be able to carry out a proof) is 


invariant 


We would. spreeciate mugesetions on: suitable names: oe - giles 

We would like the reader't to shasidee ew virtues of condeniag this. ecaunine: fot vee 
the language of regular expressions over assignments and tests. Consider how much more 
obscure the observations of:this.section would have been if. we wermto reason. bout, sayy 
the while statement, instead of about a*. In our opinion a* captures the raw essence of 
iterating in programming Janguages,; just as ou@ captures the essence of branching and. a38 
the essence of sequencing. For.the programming. language designer:who is interested in'a: 
deterministic language or.in a more “disciplined” nandgterministic one, we can. recommend. 
means of restricting: the generality of these, construg Cegntfet and. while, or. | 
simply Dijkstra's C14] guarded das : 6c. ‘Gestion, 55). Note.how the 
invariant assertion method of Floyd un, as described by Hoare’s. whise ‘pule (979: (see . ' 
Section 3.3), has been shown to fall out of this — eer of aekenecay 
complete rules as a special case. 


6.4 DL with an Iteration Quantifier (ADL). 


In this section we consider a different extension of DL, in which, instead of 
loop,,, 2 primitive expressing Yn<a">P is added. Note then, that it is. immediate that by 
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Lemma 6.1 and Theorem 6.2,. lon, can: be expressed, and: there: ts no need to construct 
Winkimann's Q of Theorem 65. We will supply ae arkton ‘ complete | axlomatization 


of ADL, stressing the fit that thetreles: were or by'the’ 
slower estan of SrehatrGF cement sali Be a” 


Formatly, ADL. defines simian to BI 4 Sacto 6, ESTERS atomic 
formulae,, states,. aah a area Tomiee seuaactad eftivedt! ast 


Ly Any: atogrie:fortweate-te: an ADE-wit, hen! 
(2) For any Mowe dt Qj or RO ae varie; 
WP: (RVDe: icoma tail 


For defining thy somantien-alllwe:- wend: hee. ; 
and: athG, tia Parle eee reat oe convention 
wera = rca Ph. 


The construct (fe) P bt ecoar getifns wnt patti RAN Weta in. ° 
their work on oh rte chain inne oes chaeociemar a 
neve menaced ey 7 ) ye | ia % 
Lemme 6 2% or ery ote ter ts wr ADEM, ymin » 

é syygcis tay D8 
Thrus;: AOL ef exrente wB. ‘Werrematt 0 it AE wheter 
the FF ir Ty "fie wyhiece hn dpectl a ee DL* 
versions of Dk Ate 1 i 


easily asin aparece Henig sth 


Theorem 6.22: 1 is A-expressive for ADL. 


Here too we wifi obtain: oor compioness ressiey 
we omit most of the proof, muthit thie fOmuan'irtnw Ritea 
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Lemma 6.23: For any program @ and L-wffs R and Q, 
if F,(R>Q) then BA((Ne)R > (Me)Q). 
Pee We omit this slightly tedious but nevertheless straightforward proof. 8 

Having Lemma 6.23 at hand, we add the following. rule. to P: 

(RB), PQ. 

(Ma)P > (Aa)Q, 

We also add the rules: 

(S) R>2P(n) , P(nl)><arP(n) , P(0)2Q i rr 
(T)  P(n+1) >CeIP(n) 

eee at ode & Foran Lewtt P-with free ny 
P(n)a(Ne)sP(0) ks nf var(a), ; | 


(S) and (T) are ‘obtained from the following rules, 


. which in turn follow ‘quice etfortiessly. ie 


from considerations similar to those ‘described in M oo ee ae ie ~~ 
RaVnP , PocaP , PUaQ mer RSnP | Pr>telP | Pag” 
—R2Vnta™Q oe Rie . 


We do not know. of a duality principle, or of any other wey for doing away with the. 
indices in rule (S). Denoting the remking axiom system by P(N), we have — ; 


- Theorem 6.24 (Arithmetical Soundness and Completeness i ADL): “For. any. ADL-wft P, 


Proof. Apply Theorem 3.1, and in the appropriate pio (ie when § proving that whenever 
F (Raffle) P) holds then so does Facey) (R2(Ne) P) ). we, the sbave twoderived rules, 
. showing that their premises can be made A-valid when their. repent» are, BY taking: P Pn) 
to be arithmetical equivalents of <a™Q: and La" JQ respectively: a 
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7. The Mathematics of 


In this chapter we consider generalizing the methods develaped in Chapter Gin order 
So ee ea eee 
the set RG; eg. those in the set CF of recursive programs Getined Sit Cages 4: 


ia ettton’ icc hase Mis atin al cagaaiae et oP aa 
rise to loop, and fail, defined over this set. In Sec fe Ts wen conntder Hive prediorn 
of whether, far, af, eth, a feil, con be iexpresed'és CHOU -fta;' iit particutar' we 

ide the ana for of Theorem 62 and (problem that of 
teller reeneee ce 63. Se tse ate ta socanc CHL 
loop, for a€CF, giving CFDL*, the resting axtomesization (5 wn 1.32) not being 
quite as eleguaas thetof DL? an Section 6.2.2. ae ard gh 
re nae ee eee Bhs 


~ Section 1.4 is devoted to crib 
and failing can be defined on the bas 


these concept.by fa 
the intuition with 


| and CF in Sections 52 a 


ve ee Competntice boron fee Reomsioe Progen i eS 
wt HOR Has ac eager, : . : 

ry compe wee pte, S) oa program CF and a sate JD 

non ————— 


ae eae od 


- 6) pate) « pala y LENS) 


replacing the eae Cladse!" Invisteditty, bo clinsetatt: SeetlVD)or tai nicht, 
peel Aids? u CORDS | ind etaer, see pam, Wee we wecanend, wa node 
tabeted J, pel oY) iH & sarod mesel. Oem, a das thd case with: peta Dy 


ill 


this process can lead to an infinite tree. The additional union with false? is introduced 
so that the process of calling recursively would itself “cost™ an edge in the tree. A 
remark related to this matter appears in Section 1A. 


The computation tree ct(a,J) is obtained from eee h ¥ deleting some of the 
failure nodes as described in Section. 52, ‘and @ lt a iy Fe: also defined 
precisely as in that section. 4 


Examples: \n the following, J is some state in N for which y 70, and in the diagrams we 
let i stand for Ci/ yJJ. - 
(a) Takea to be the program ((ye0Psyeyel) U ( yss0?; ep X; yey) Dep. 


pet(ar,C1 / lJ) ey eta Cl / yJ) . op 
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(b) Take ato be (X)*(f); this is the recursive program which calls itself recursively 
"for ever", 


pet(a,J) ct(a,J) 


(0) 
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(c) We.now show how the two different translations of a* into CF formulae (both of 
which gave rise to the same binary relation; cf. Lemma 4.2) give rise to two different 
computation trees. As we formally state below, it is only the first of these two which 
gives rise to trees which, as far as loop, and fail, are concerned, are identical to 


those for a. In all cases we supply a program @ and the tree cf(@,J). 


(true? u (yey+l;x)) *() 
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(true? U(X 5yeytl) )*L/) 
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(true? U (X5y<2?;yey+l)) *(/) 
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(true? U(X syS2? syeyel) y*(/) syz2? 


Here too we have: 
Theorem 7.1: For every a¢CF, (J,J)¢mla) it ct(a,J) has a leaf labeted 9. 


Proof: Gulapare pol c™(f),J) = pesl false? u t(t*(7)),3) with the observation that 
m(t*(f)) = mf false? u c(e*(/))). a | 


FES palais. ts Mog coy ice dale ha eh ee 


Ail 
The following Theorem substantiates the remark we made in. example (c):- 


. Theorem 7.2: For any @€RC and Jel’, denote by a’ the program'(in CF) obtained by 
replacing every appearance of a subprogram of the form ate in «, id 
(true? u (8;X))*(f).. Then we have 
y RU loop, 2 loop, Oy 
and He fal i lt). 


Proof: The claim follows by. observing: that. pel 8,4)" pet Care 06%, Dn. and 
pet( (crus? (B;X))*4/9,9) = port false? U Gergen (Baharie? U8; x))*9))); De 
but that the failure node dué tothe dimush ‘in —— deteted in: the eis ee 
of constructing ct. fee 


Note that-for any-@OF and J<P, senaie ts er & tree of hagas 30 
that Koenig's Lemma (etd can be. apetied. ; 


7.2 Diveretne and Falling in hctellacany 


As in Section 6A;: we are senatinted din. yravidig; for: any atCF, CFDL+wifs: B. 
ahd Ry ‘such that we have MP ‘top,) and WR, a Fail.) Weiboth 
cases ve will neéd tools sittitfar to those devéloped fee the the correspon ling” results in 
Sections 6.1.1 and 6.12, but here a brand new problem “otaits; “the solution of which — 
requires defining the formula elong(t,Q) asserting, for a term €(X) and formula Q, that Q 
is true at some point just preceding a recutsive call to € during ‘a legal execution of c*(/). 


7.2.1 Expressing lop, in CFDL. 


analogous'to that of 


We are looking for a charactertzation of lope 


loop.« in Theorem 6.2, in order to try to ase 'tt,'t 
analogue of Theorem 63, for obtaining our result. 


. Recall that scatsdaies ta Tiana cg Aiseamaed in: 5b de delagwieed 
divergence, i.e. a divergence in some reachable execution of @, or toa global one, ic. . 
being able to execute:a's fer ever. The formes-powibility 4s: GaP oap, ; which, as:is- 


“ge 
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implicit in the proof of Theorerh 6.12, can be written Jp 


OPN, widthe fatter is 
Vinie™ true, So-we can write | , 


F( loop, if ® (Inloop,nv vncaPoer). 


‘Characterizing looP exc f) is similar; here a local aavergonce us a divergence “inside” 

some application of a reachable T, and can be expressed by Inleopie fats07)- 

(Note thet this still does net sehen the: prebiem: of:exppening:ieced dimerging in CEDL ; we: 
deal with this question laters)’ -Gleball diveaging; Gn:thieidthershend,:W'wbresubie. = 

Here we want triexpresethe: sarap pecan ne aah dating ati arnounts:_: 

te being able to “proceed infinitely deep inte the recursion”. Bote 


dn order to capture this-notion .we restrict ourséivés in: this ohapter to‘upiverses 
U in which the domain has at least two distinct elemantaqnddmehich two fixed variables °: 
have these two elements as values. Peep erates Sey tie eres and b freely as 
two variables ‘with distinct values. 

»ehbae a 

We now define, for any term tC, the t term ts which allows “skipping” seat. 
recursive calls tat, and. other recursive.concteycts, fut faece shiptobe 
recorded in a new variable x. Fopmally, ven £Oyclat K¥ wor), be, two. variables, and | 
let T'(X) be TX) with.every appearance of 2 midterm Remnant Pate forms X,,P? or 
replaced by. (aU U etie Alodefine ee ae . a 


@: (ya? u (yzatsxentiveo)),. 


For any n20 denote the program xtajyea;t'™(¢) by. t.. We can now present our 
characterization of loohea(fy' Eee ae 


Theorem 7.3: For any a€CF, 
. Hetheny # Cnleobergpainay¥. acer). 
Proof: ‘Assume we have IPInloop eM false?) “It is quite easy to ake ‘that ct( c* psy 
has at feast se-many node ny i ali 4, nt name we stan tee Shier 
| “Fuecehie vest Lok Aherprbet we eek eicbsdies el cotamened undies for any x 


20 and Jel" we would like.to define the set $(1,¢,J): consisting ‘of those states 
which occur immediately before an application of € at “depth i". Define 


- 9 


$(0,0 44), = 49}, . 
Sil, €,J) = = UgeySUCds ~ 


where V is. the ‘set of states $ such that the process of construct 1g 
for xf var(T) | requires constructing cl xex,9). ‘In other words, V'is the set of states 
which execution Oren ea feacty Bik prio wines feaivigety at Wvel he 


; Sy Ftayy : at ae shaw 3 athe 


ni ACen eM: 4) i, 


tad 


| Certainly if. for some.i-we have $65144¢.3) ithen 4. Iabon ore node. in al et(0) , 
and furthermore:the path fremuthe snot at.<t( S801). t-te gods, | ef lenath, eran es 

i. (Note hot aide. spud Res hn cae CREE MEd bE . 

peel) 9 Ib. sah at sp senna Dopeader ane tly cud oo 


‘Assiame now that IeVncG,>y=b. ‘We show that pk any: 20.we, have Sede, and 
thus ct( c*(f), J) has paths of arbitrary length and is therefore, by Koenig's Lemma, . 
infinite. (Note that-the-asarhpyen: I %hee, Sys te suffichent, oo thar Wrvcan be” 
‘replaced by 3° in the statement of the Theorem.) Indeed, gta aby wedi i, ‘by assumption, 
‘we have JEEP ysb or Shcxeagyrasefy) ab, 20, that, exists 
ct(T,,J), starting fromthe root, which teen 1 in ara. en) by. , vate in rhe 
the vale of y.is.b.: The taka of the mupcevaee oorten of; tient eneted by... 


Gd, ta/xi3, ta/yia/ad, ,— 8) 
wherey: ,70- Let | be the least integer j sich that y rs Bac ae 
T'( ©) :#-is-evident that in-erder for:y to have changed: value: frontis to:by kgnost be : 
the case thatithe value-of wams @ alt along. .Morepriciesiyy for elf 2 f20-weheve © co: 
Xg pray; sa, that tests P? and ssbprégrams ofthe: foum SG) reere indeed “carried out” 
and: not: avoisted : ‘by: executing x¢b instead: ln-othber witds, the:initial segment :of the path 
p ending in Jj can be a ae being a ‘shevurtationy, tee why of a patty from: ‘the © 
root to the false? in et(t! (false?) ,J). Consequently, 9 we e have ier as it J). This 
completes the eit oF oe Gtrécttott aihciedb coon 


5 Chava: assdive How that. Iran) oss bor a. 20 we Nave mt 


ee Consider the infinite sequence s of nicertiygtabels of the nodes-of © 
an infinite path from the root in et c¥C7) J). It ts easy to see hat by 

hypotheiis, there must exist’a subiequence of, WY TIU,J2, AY; ich th 

we have Ji€S(i,c,JY arid dueW thar Jr cotreponcts’th Wheeribit talks i's" 
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for executing Tt; in such a way as to terminate in a state in which the: vatue of y is b. 
Given i, siniate the path corresponding to the’ iiftia} segment of the: sequence s ending 
in Ji, ie. assign xea and yea, and then proceed in t''(e) exactly as s proceeded in, 
T*(f), executing tests and recursive constructs andl not ¢ the xeb ) pare “By the definition - 
of Ji, reaching Ji.in s corresponds | to. renehing ¢ for the tiest.time.in. wie), es 

Thus, we have reached ¢ with ¥9ir8 and oT al and-tWerefore y 13 assigned b. 

Execution in te): ts thente be -cometitied toy Ztidating te 8b: pity’ intstend “Of © 

tests, appedrances Of X ‘and fect donetivicts, “CaRsiily his Sibcaton will terminate 
(no tests to fait; stealing iene dereireoy ‘iNoreéver | By 
the construction of @ any subsequent arrival at @ will net change the value of y, atid | 
Since io cate ee ee 


re 


We are how inbheliaa dn - ees ways: 5 egg to disonc sn the 
statement of Theorem 13 by CPDL wits, 


eee ope? ea Seb sess peg as sit Boy 
For deating with the let disney, ‘consiter the wet BF Seti ay 
which, intuitively, is the set af staves which 10d Tieed tibdes tn eet MT), I) which seis 
correspond to points juit pitér te a’ recdPave UNFE-e* Aacathe We hive defined, for‘any =~ 
CFDL-wff Qa and term tO), _* formula along €.0) wee Oe ee. 2 


_Sraen 2) iff 1 HEFL), a 


wt oS a 3. 
Sef thee 


i.e. Iratongl, ay holds #ff'Q is true leahedtatuby-girver 26 some reachable recursive call Ye 
to T in an execution’ of tf My)-starting tnstate'S. Assunitaoehet weduive defined, for 
every prograry a¢CP and terevtCR), ik fovetuahd: py gy eumle ahit, amenitivety;: Hipeig: pee 
holtis ff there ts'a divergente:im cette); 3)° as eeasadearerydeolenniey thea” - 
_ part (he: the arene puta Freep sore recursive econ i SAKIE: 


It is quite clear that IrInteop eA yale. holds. itt at some state. 3. in, ie, 
execution of T*(f) just prior to a recursive call to , it is the case that there is a 
divergence in (€( t*(/}}:93. whieh is.due to: — ‘and nat to-the inner-C*(f).. In 
other words. -JFalongl T, ip, yn) ars 


ty 


Now we proceed : to define these. concepts, ‘and then. observe that, iopether.» with 
Lemma 6.1 and. Theorem 17.3, they.give rise to. GF avehts, Bie vally, we state th 
in the previous paragraph as a theorem. ae a oe ate. 


_ point has been an honest simulation of a ‘computation in 


121 
- For any ¥ ACE. and terms €1(X) and pi ets eee 


lpy a. Fat false, 

"bg, a “ap (Pg, 

hes X 0. Fat  loobg,.., ee ma 
by pa Fag SOP B, 
'PB.X:B a “af (iY Bir 2. | 
Peree2,a. Rae elie VAPea a ie ee eee Sa ean 


Be E 


Now for defining along 1,0) we use. is pure to 0 these uel in conarucing a 
and @ for Theorem 7.3. Civen €(X), let x,yf var( €).be two variables, let Zevar(T) and 
let Z' be a vector of disjoint primed versions. of 4i@ Pariables.i@, sagf@) (eee Cioupter sj 
in particular x,yf ver(t)). Define t"(X) to be €(X) with ¢ every appearance of a subprogram 


@ of the form. P2.0r CAD replaced by tauarb), and.every peacnenn anand 
variable X oe by : 


Bek oka,  (Cxse? pratyrbize used 8) 


‘where Z'¢Z, abbreviates the composition of the assigninents ‘fer for. ail 2€Z. Now, 


define along(t,Q) to be ee ie 
oa cerasyrast“AUP> (0% A TB). 


The intuition is that in xea syeajet p one has the eatin of, “whenever x is seeds, - 
storing the current values of the. variables Zin aah ng as nu until that as 
“tf. Once such 4 store has been 
carried out it cannot be carried out again because of the ed guard. Furthermore, asin 
the proof of Theorem 1.3, execution can always € yonse rt face * quickly to the end of - 
TCS) by executing xeb har, whem the, execution finally terminates, | 
‘we assert that Q is true for. the ‘values of Z wh h We stored in: 2 jus Sere, 
recursive call. an 


From these observations, together with, the: remarks preceding 
lpr a and along( T,Q), we obtain: = 


Theorem 7.4: For every term T(X) we. have 
StSRen fe s along ®, ye eo 


Oa wer roa > 


ay sae Ser 
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Now observe that the definition of atong(t, [py a) ‘avolves only CFDL-wffs 
and constructs of the form loop, where a includes only subprograms appearing in €(X). 
We do not krow tow Jo den wit te right hare lea =f Pheortnt 13, so that we have: 

ial eis a5 
Open Problem: \|s it the case that for every a€CF, term: etx: and teow P there exists a 
CFDL-wit 'Q. such that. bach shee in)oP). 

; An affirmative answer to this question woukd ‘acgether mae er 6.1 and Theorems 
13 aa 1. 4, that for cr lore is aemacina in C FDL. ; 


7.2.2 Bxpresstig ‘fate in crpL. 


We have been unable tofind an sisginciin sniaanatg omit 1 agorithen for 
constructing, given @€CF, the CFDL-wft Ry such that m(R, ® & fail.) welts. We 
can show, though, that such why - ehists' by eld Oi eet ides and uninteresting case 
analysis. The difficulty was in fing. a CFDL-wit thes such heat 9 we have ie 


F(fally ig dong, fled): 


Jef, is to hold whenever there is a failure in #leleXp), due to T (ie. the 


failure does not gy few es(tc Di. ‘The aifficutties, ‘steailar to 
those of f Section G4, are. hh pat Sel! Bissett Lee as faiglate fe 


27-8 


We pose to the reader the interesting proble eet signi ae a ‘useful idee of 

CF for. total-correttness, oriented ‘reasoning, which would be to CF wi nat the guarded © : 
commands ‘Taniguage | CT is to RE, This progr: age should Ae tie pasar : 

property that “for } it Ie can be expressed cexsily and ria rait ne 


interesting to try and find concise rules for constructing some or all of the four notions 


of total correctness or weakest preconditions b ¥. Ses mee, ines 
provided by Dijkstra na fore ar Seaion $5). cd ne ee ad. 


7.3 CFDL Augmented with we Van” a 


In this section we augment CFDL with loop, and refer to the resulting logic as 
CFDL*. Although there seems to be no reason to abbreviate (<a>P v loop.) to <a>*P, we 
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will do so in order to be consistent with the treatment of. DL* in. Section. 62,.The 
virtues of augmenting ( CF DL with Loop are those described, for, DL vs, DL* at the beeinning 

of Section 6.2, with the additional poi t that ft ‘might, arn oUt that-for CF. 100g | a 
expressible in CFDL, and 0 we would have CFDL.< GFDL"... in which cose the augmentation 
is proper in the serise ‘of ‘obtaining strictly more expressive power. ‘The axiomatization of an 
CFDL*-which we proviie in Section 132 tenet: quite ds natiril looking af that Of Section 
6.2.2 for DL*. We.are of the opinion that.a search for a clean new formalism for a 
reasoning nutgraily about recubiiveproptaine (pertiajes ciiing Sinigtt ;Q) is'x primitive) — 
might be worth white, withougly we: are SS ee 
about a: sa alee maton DL 


Peers 


Tae. Definitions. 


; The definition of CFDL" is. oneiler: to ke :tahips the atinons tithe baste’ 
sconerees from DL and saad 
@ Any atomic formula Jn a.CEDLS wit, ae 
(2) For any CFDL*-wfts P and Q, ain CF pan variable x, 
Ps CPVGDy IRPy SAP an SR arg CPDL cwtle, 


We abbreviate as in Section 62.1 and aetna emagticy indgmtically using.the 
definition a eta PoP he Fe nar aye ewe. be ee 
7.3.2. Asiomatication of CFDL". Seo ee - 


The basis of our sitiomatization | is Theorem 13 which we on. now rephrase as: 


K(COR(A)> "false *, (Ance fase", v Voce, pvee)) 
and MLem Tere z (vate peer Dire A ante, lyme). 


Here T,, is the program (xeasyeast™(e)) where c Binh ¢ ware ses preceding 
Theorem 1.3. Also, in the sequet we-wie t"(X): as-defined:precedwig Fheorem’ TAL 


Our axiomatization here too willbe: OF sin 'extegsion cri Which is‘ defined as 
CFDL* but with the programs coming from the set Cr’. As in Grigane 4, we wilt be-using’ 
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the fact that in an arithmetical universe A there exists, for any aéCr, an L-wff P such 
that P“'e expresses &. The problem that arises is that-OF defining the: trée eta, J) for 4 
@€CF (as opposed to CF); ot ittertiaeivély is tay ab UNE béetion is con | 
i defining 100g We would ike: it to be the c case that its . ; 


a ip PR 


sats “ah Te oe ae > 
One pre is wd ce wwe anak kaatens putegree, i 
with, the .location..of tbe by atist, of natural numbers: arene list, of 


string, of 0's and 1's); for Pp? the tree would be defined ( rongthty} cos: 


et(PZ,3) = {AJ} v (9,1 (5,9, )em(P2)}. 


oe 


Then, we would define Jbloop, to hold iff ct(a,J) has an infinite oo (which in this 
a Oey a oe) ee. oe 


are 


Another, equivalent, method: is to associate with any “cr and ists a set of 
computation trees cr(e an dd. ‘For pe wwe wouiel efi ee : 


crct,3) = ta, nN, (oa readies a 


wy fe ce 


al 


The rest of the definition is‘ ‘olit analogd i) to he dermiion of ta, J) above. . 
For example, CT(a;6,J) is the set of trees obtained by fi the cons 

_ t(a;8,J) for every tree in CT(a,J), attaching any. tree in crl8g) to a node labeted J 
whenever ans ) was to be attached to that node, Ip, oy ct ting et(a B,J ).. . 


puahble Let a: i Keel, P: xx! "and Ze(x). For any 1 such ‘that er wehave: 


cT(a, J) ={ (0, J) (of1/xa0) ae 
cr(?, cl x33) = COn/ xd c Hing 


and thus CT(a3P4,J) = ({0, ), (0, t renee. : 
Now eine Dea HE hee a nine ee eed) : 


‘We remark that either way fooh gts saneinidamacpeaptaamatie and: that far 
atGF,: CT a,J)-= {ebay Po ter Seer erg 
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Let A be any arithmetical universe, and consider the axign sy Rt for CFDL* 

- defined as R of Section 4.3 augmented with axioms (OF-€S) of P* in Sections 6.2.2 and the 
following axioms and. rules: ' 

(In the following, P and Q.are L-wifs, R is a CPOE wif: a6 4h is a igre x and y are 
variables ‘x yf var(€); Zever(€),V is the vector ct tarablen camed by cepa t with 
x and y, and ¢, T! and:t” areas. defied -abave.). PERLE Tees avin aut 


(V) EB 7 eras : 


(W) 
R > ( <xea;yea; emis A Letra) Vv Yntkea; sya; P(n) ‘>ysb } yes 
P(0,V,V') ><e>V2V" MY, ZY > COME ‘Paw, SSSet Pin) ¥y9veV" 


R ? ema fate 


(Y) . ee 
R > ( Cxea;yea; ee Vv vevernsigtin) A SkavasyeasPn) Viystb ) 5 
V=V'>teIP(0,V',V) = 5 ie DON FINED 9 ibhahesirtasilnd Y)3P(n1, Vv’ v) 


R > Ce) Terue | 


. Provability in R* is defined as usual. 
Theorem 7.5 (A-soundness of R*): For any CFDL-wif P, if tp? then # AP. 


Proof: We establish the A-soundness of the mcitenn axiom ang: iieteras ane then: use 
Theorems 4. 10° and 6.25 ts ‘conclude the resale.” : 


We show then, that for any L-wffs P and Q, CFDL-wit R and term €(X), ), with x XV» 
tT’, T*, o, Zand V'as above, axiom (V} i ‘Avvatid, = ane CT preserve 
A- validity. 
(V): By definition. 
(W): We argue that the A-vatidity of the first Pretnise oF this, tule, under the seetiaption 
that the other three are sada: ‘asserts that” 


é 
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F(R 2 (Inloob eM (false?) Vv Vnit 97d), 


which, by Theorem 7.3, implies that F AlR>cen(f> false). (Recall that, c. ts an 


abbreviation. of (xea;yca;e(e)),) And indeed, by: Theotera:42:the premises, ether than 
the first, assert, respectively, m(P(0) V) crite); steed O79); nd 

Vn m{ Pel) Yen e(PE0) YD) One can then show, by induction on n_using Lemma a 44, 
that ¥n(m(P(n) Vy cm(e(e))). Consequently, since Qe is “smatier” as a rélation than 
T*(/) but is divergence-free, one can see that loepe(%) implies lb_ cf) 

and hence also that along{ t  Leoha( QZy) implies elon Ede eacyy): By . 

Theorem TA the fatter is Feloopeh (falsen): Moreover, since-for. any n,, P(n)¥ 

is “smalier” than ce), one catt see that YnéxeasyeasPin} >yeb implies - Vin<e dye. 
Thus, the A-vatidity of the first premise of rate (WF iehpiies that R>loopea, p) Is 


A-valid, and hence we obtain the A-vatidity of the conclusion. 
oy Dual reasoning to that of (W). os, oat 7 Riot 


The proof of arittrneticat Sssc thins AN Herman rence of similar 
proofs in the. previous chapters. We apply. ee es: that its. 
hypotheses hold in this re case. First we tyes: . 

Theorem 7.6: L is A-expressive for CF'DL*. 

| Proof: Trivial using Theorem 4.1 and Corgtiany, 25 =, 

Now we prove the basic box*- and. id + conaplarepens; results, and shen, following our 
remark, in Section 6.2.2, about a “double functional”. vervions of, Theorem 5, we qbtain... 


our final result. 


Theorem 7.2, (Drircent! -compicanenn Theorem, for GFDL):. For every AsO ‘aid L-wifs R. 
and Q, if F,(R><a@>*Q) then F p+(R><a>*Q). 


Proof: As in the proof of Theorem 6.19, it is. easy to see'that all we. need ta,show is. 
that if F ( R><a>* false) then F pov Rxcad* false). ‘This, again, .is tablished by 
induction on the structure of a. When a is of the form €*(/) fer some term T we show the 
existence of L-wffs Q and P(n): such that the premises of rule (W) are A-valid. Since 
these premises involve only CF'DL-wffs and the formula <(Q2)>*false, in which the 
program is of complexity lower than €*(/), the resuk will follow. Indeed, by Theorem 4.1 
we can take Q and P(n) to be L-wffs involving, respectively, only variables in Z and V, 
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and such that FA(Q= T*(/)) and for all.n vir 5 ee. All the. premises are 
easily seen to be A-valid for this choice. . are Cre 


Theorem 7.8 (Box* ~completeness Theorem, for FDL): For every eccr "a L-wffs 4 - 
and Q, if h teaer eh then FRe(Rtar'Q). : 


Proof: As above using rule (Y). Q and P(n) are 7 alg taken Page ly as above. a 
And thus, as remarked, we conclude: eetiew, oan 


Theorem 7.9 (Arithmetical Soundness and Completeness af FDL"): For every CFDL*-wtt P, 


Appendix E Scntains a proof of a CFDL*-wit in. x” 


7.4 Language Dependent Diverging » and Failing. 


In this. section, based upon an idea of Meyer ra; we show how it is possible to 
define notions of diverping arid: fatting” which depetid® ‘Be y Partiodtir Gefthition of 
computation trees, but sofety’ upéry the tangunge'genseen | bin | sty, the fegeter eee 
expressions. In fact, the tlew:sotions ate-well defpled. fUr.aity ’ . . 
set of sequences of assignments and tests. An immediate upshot is the face sept sthese 
concepts of language-diverging and languege-fatling are defined for re. programs as well 


te 
gi 
His 


as for .reguiar: and -context+free:anes-(sex Section $35). However »alie new: hetions, 
' independent of the partioulas expression: Ger: grammerbdefining the program, @o not. 


coincide precisely with our leap, and fail... The:terief:technteal investigation ofthis: 
phenomenon:-which we supply below, sheds some Rgta' on the Peat for stoping he 
seemingly ad hoc definitions of computation trees in Sections S2and ‘LE ” 


Let A be the alphabet-consisting of lageHassigaments and tests. in DL. The 
programs we consider here are subsets of A*, Le. sets of finite strings of enna : 
and tests. We use B.C; .. te. ee ae eae 
denoting. the. aia Pregrere: 


Let nr, ‘BcA*, and aeB such that one Wes say that a is j- ped if we have 
IF<a afrue, where a, is the straight-line DL program obtained by ‘inserting “; “;" between 
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every two elements in the string a. Now define Irlang-toop, iff there exists an 
infinite string s over A, every finite prefix of which is a prefix of an J -good element 
of B. Intuitively, Jiang-toop, asserts that it is possible to execute an element of B 
and then extend that element repeatedty for ever, e Ke < in : the exiesision each time, 
without ever “leaving” B. as foe 


"In order te be able to compare lang-loop with toep we adopt the standard translation 
Tofa regular expression into the tanguage (set of strings) it defines. Define T: 
rc-24" as follows: 


T(xee) = {xee}, 

T(P?) = {P?, 

T(a;8) = {ab| a€Tle) 1p beTUAN, 
T( evs) = T(a) u T(A), 

Tla®) = (Tla))* — 


We now observe that, ‘contrary to expectation, tt is not the case . that for all a€RG we ‘have 
( loop. = lang-loopy, a))- This follows. from: observing that. heygh: Tla*)=Tla**) ; 
and although Floopan. shoes, not. necessarily’ howd, heehee, alwa 
Situation is perhaps best explained by. showing. what. han to:be, done-to:: a regula 
expression, i@. 3. program @.in Re, it onder. to beable ap eet ae 
meee . 


For any a¢RC define a’ to be a with every » ccdemiael ie form 6* replaced 
by (true? u A*). Thess, we are explicitly adding the fact that’“delng notiring™ is a 
legal execution of A*,. in this way, carrying out this degenersted: (Sut nonempty) 
computation, for ever results in a-¢ivergence. ne Hythe infiaite set of 
strings ferue™ Dy a0 Formally, wehave 


Lemma 7.10 pein! £443}: For any @tRC, Manip,» neterrtg))- 
Turning’ now to the chuateh of: failing, we would the to mark those elements of 


a¢B which are not J-good, by pruning them at the point where:a gat failed and inserting 
the apecals indicator F. Define a repping . ae - er as follows: 
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HAD) = A, 


W(xee,J) = xte, | 


: : : Ti Ne ° 3 
(P27) = MLE.) 
een Cree ar 2 ae 


HD 9) Ja) 
¥(a;b,J) = a. 
¥(a,J) if Nad. 


It is easy to see that this definition is a unique one. In fact, for any a and J, 
#(a,J) includes only assignments, and possibly one F as the fast element in the string. 


~ Language-failing is now defined as follows: Jklang-faily iff there exists a€B 

"such that #(a,J)=bF, and such that for no c€B is it the case that W(c,J)=bd where _ 
dF, The intuition is that B includes a language-fatlure in state J if one can execute a 
sequence of instructions a€B starting in state J, and reach a false test without being 

able to continue from that point in some other sequence in B (ie. no immediate akernative). 


Here too, it is not the case that F(fail, * lang-fetly, a)): The 
counter example being @: (xee u (false? u vfalset)) for which we have fall, but 
Potang fall a): We proceed similarly: 


For every @eRC, define a" to be a with every subprogram of the form re 
replaced by (x+x 58 u y+y;7), for some x,yf ver(a). Thus, we are marking the fact 
that we have executed a union and have gone left or right. 


Lemma 7.11: For any @€RG, (fail, = lang-faily, a") 


A similar treatment of the recursive programming language CF can be carried out. 
Here the counter example to F( loop, © lang-loopy,.)), with T extended in the 
_ standard way to context free grammars, is the program a: (X)*(/) for which we have 
Flop, but not Plang-loopy,) since T(a)=s. The coding trick needed here 
in order to capture loop., by asserting lang-loopy a”) is to take a™ to 


10 . 


be a with every program variable X in a subprogram of the form t*/) replaced by 
(true?;X). Thus, we are marking the fact that a recursive call “costs” a unit. 


This particular direction of defining “grammar independent” notions seems to 
justify carefut investigation. It is appealing in part becinese dogs not assume any . 
extension of the standard definitions of sach operators as ¥ wherl iyeptiel to programs. Its 
drawback, however, seems to be in the fact tia int erder-ho capture such (in pur opinion 
highty intuitive and natarat} concepts a0 ionp,. and fell, one nents to invent a form of 

, ta this case the computation 


encoding from which, iw effet: the'vrightal 


trees) can be reconstructed. 
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TE ughe 


8. Conclusion ‘and’ Directoy for, Petar Work. - 


The following seem to be the main contributions of this thesis: 


(1) Provision of a comprehensive and Yigorous ia ptt mn vont on dynamic logic. 
(2) Introducion of the notion of arithmetical: axtomatiration: and. provision of caticioe 
arithmetically. complete ‘axtom systems fot ay ach ety 


ISPs ras 


(3) Introduction of the notions of cg and, with their aid, 
Clarification: of the’ Concepts OF coal corre st tion 


(4) ‘Provision of an analogy | between ‘iteration’ and nt . ig ilk to ae 
axiomatization ‘of recursive djmamic logic, and the’ 
in reasoning about the diverging and failing of recursive 


Sea en 


“Sg EVRY 


will turn out 16 be quite easy; aa eb believe tia 
gained, thus easing the task oF ‘otving Oi ined 

The main directions, directly related fo tis theiis, in iehich we e would recommend 
that further work be done are: 


Q) Recursive programs: We feel that there ought to be a more natural way to reason 
about recursion. As is quite evident from our work on @*, the primitives of dynamic logic 
are not only adequate for expressing interesting properties of iterative programs, but 
also enable the reasoning about these properties to be carried out inductively in a 
structured manner. For some properties P of programs, a natural way in which to prove 
them of a*, is simply to prove them for “every @ in a*" by proving Ca*IP(a). Thus the . 
problem is reduced one level. This is the essence of the rules for a* in our various - 
axiom systems. For recursive programs the situation seems to be different. Here a 
one-level reduction of the problem of showing a property to hold of t*(/), is to show that 
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it holds of T when t*(/) is “plugged in". Thus, the along(,Q) construct of Section 7.2 
seems to be an important notion. And so, akhough the primitives of recursive dynamic 
logic ee in (and so 
they should nat be ethpds fi e1 
expressing other properties of inierest. « ‘eich 35 


_ extra tools. 
(2) Computation t trees: These ‘ 
in mind the need for wah ee Ces a ib’ dlocrguun of a a outotion by pastel 
costs to assignenents and testa,,.byt nt. to."dament er aeshese which correspond to: 


pees Sh, cout, seers asthe 
basis for carrying out an analysis of the efficiency ‘a algorithms, with applic ations. to 
program optimization ¢e. Qver Own. COryBrUuctiON. no eft 4) Races 

was strongly intheenoed by our interest in diverting and, Ceiling 
definition of failing might be worth looking for. Such a efinkic 
falsify the se a geante 6 Sonne patty be pe A, perks ok : 


the "go eft" and "go right” ofthe pane , ne 4 


43) Parallel propane, nat nent ianitives, which would gp 
reasoning About. peels Programs, esaayyag 2 aga oan the 


EO a ome 
wou be teeing ove te it re rn es ch 
primitives, and then fo. try. cemstrycting, natural aritemdtcns axtnempsization 
seems that a clean overall treatment of the probitm of ning st a me 
~ in paraltel, nthe st ofthe mak decd hs for swe proram, . 


is yet PERE nb, oa ee as en ee eek 
ch ‘ - CPI Soy site 
“i ef 8 
, “eket a; 
Ae 
O43 
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Appendix A: Relational Characterization of EPDL. 


We show that EPDL of Section 1.1.1 is embedded in a simple algebra of relations 
which employs only two operations: conventional relational composition. (+), and a new 
unary operation on relations, minus (-), We. aa hore raion, about aur relational 
algebra which. seem to justify further research: ; 


Since EPDL does not involve operations on programs: (3. i uy. *) this appendix can . 
be viewed therefore as providing a: Boolean-algebra like abstraction of a modal logic in 
which there are possibly many modalities, 


Given a set of symbols T including one 6 tpecial symbol @ we define the set ¥(t) 
of expressions of the relational algebra over T as fqllows. 


(1) All elements of T are in ¥(t), | 

(2) For every e and f in ¥(€), (eof) and -e are in Ale meet 
An interpretation | of ¥(T) isa pair (V,r). where v ina nonempty set, and rt? Mae : 
such that r(@)=4. 


“y is extended to the set of expresioné He) by. a 
ret) = re) © HC0) = {Cs,0)] (Bu) CeyudéeCe) and nest 7 
r(-e) = -r(e) = ACs, (VAUssf r(e))}. 


Thus, the minus operator (-) ‘connects 5 ‘to Jtself iff 5 was connected to.no element of v = 
‘in the original: relation. 


Lemma A.l: The set 4g) « {-e] et¥(t)). ts. a ‘Boolean algebra with. ° and - - acting as 
intersection and cpmptement Fespestively. 


Proof: It is easy to show that the standard powutates for a Boolean algebra are 
satisfied with 0=0 and 15-6, ii 


i We now define a syntactic translation function from the set “ EPDL-wfts to the set of 
expressions of the relational algebra over the atomic 5 4 in other words, 
f: EPDL + CAF u AP). For esthetic reasons we take F PDL a though it was defined using 


SOR RRR Ee ee 


1s 


P2>Q and (a]P instead of PvQ and “oP. The ‘ater ihe | now to be regarded as ‘abbreviations 
in the sovioss ety is 


(1) For every pear: a ee a 
aoe Fer eeey HAP itd BPD as P abd’, ee ee 
#(P2Q) 5 -(0(P) © 09), be : 
AP) = HP), in, Sarees 
EAI a as RYE a 


Given a structure re Se( Ween) for EPDL, detine oo siretadl Wi, oH Ar ov AP) to'te” 


is =( W,r), where | gd No i te hdl rath nn eh 
re = m(p?) for sa: oo a aE 
and r(a) = ma) for a€AP. So at hag 


Th meen een EPO sn AF PY pa ih nee . 
Theorem AZ: For every EPL at P, tty) enten 


Pass 


- py Seficision. 


Consider P of the form R>Q. Assume (5,2)6m( RQ), 20 that | feet 
s¢x(Q). We show that (5,534r¢-48) © IQ wa ea eb ee 
~£(Q))). Indeed, if for some ¢ we tubs, theHERY 2 UGH, chek there would exist 
ak such that Aaalet tay) and (u,t)ér( 410)). By the inductive t 

eC 4(P) TSEC SHOR, do that aces and! stathy! BATH NF teeONy iden. 
that rs and that furthermore (V9) ((s,o)f rl4(Q))). Jn pertionter, ¥ ts im 


‘that (s,sder(4(Q)), ee be Qi Renyadigiesn. si wl 
i, fa). cs fh rodney pied 


Conversely, asstiine that {s, x 
(5,s)er(FCR)). or ont dere s anmatnn oe : 
(5,5)f (FQ). ‘By assumption. (4,98 (FRI) pier 
ht (RGN, ea a AB Wh Wf fon CO, 
rt tt of pr ng id‘ 


ae sak! @ ad 


serene eee eS eS Seek ete fyere Same Femme 


Thus, w rd i oe ln tally ane is 10: 
hamely ‘where 3 yee 
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elementary es of programs in an algebra of saations hic oor only two oper: 
Theorem A: .2 shows how to embed EPDL in this algebra ¥. 


Note that, with notation slightly. relaxed soe ¢ ni in te argument to pile we. have” 


f(EPDL) © {-¥ vary s ®.. 


Both inclusions. are strict; for. general atAP thas is no. 0. EPDL-wff. P such. that. r(-(ae )) 
= m(P?), and also there is no expression in {-¥.u.AF}, ta.a An.obvious . 


interesting problem, then, would be to investigate the relationship between © and f(EPDL). 


For example, what is the complexity of. deciding digger in. -¥; ie. how hard is it to 
decide, for arbitrary e€-¥, whether for every interpretation (e} = {(5,5)| s€W}? We know 


that validity in EPDL, and hence wees in AERP is decidable. Is this true in -#? 


Another possible direction to go would avons investigating “abstract” relational 
algebras; ie. is it possible to give a finite set-of pasustates that a tripte (K,b,u) is 
to satisfy in order for 6 and u to act like « and -, where K is a set of binary relations 
over some arbitrary set and b and. u are.binary and.upary operations on. K respectively. 
One of those postulates, in ling with, Lemma,.Ad,, —_ be that.(s{K). bu) isa, Boolean 
algebra. What happens when K is merety ned to be any set? Such. reprasentetion. 
theorems would seem to be of considerable interest. ibe . 
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Appendix 8B: Euample fs Proof if « Di-ayy tn P 


We sketch the Nghe» pot a P fh crane of he 
(deteriiintstic) programy computing’ MeCarthiy’é inition (yee (491). 


We sao ear Sat new l slellelrwots such as < 
etc. as abbreviations for the obvious first order ferenuine they sand for. We de not 
refet wo red > die til wt te rte gy sate saat cadet 


“toy * it wie y then ot wie wets) 


r10 pio 


is the function — 


We consider an iterative sim aa ecurive dat weeny t 
en, : ‘ou os pee ra cea 


Define ee ee pan wert, 
&:  ett-WOiyey-], 
a (00er A yaiytse. 
We prove the N-validity of 
(10h2z A ysi) > <r" rsh A y*l), 

by defining the convergent Pn) as foltows 

P(n): ts A 20 A Mths A 0-1 Lly 
(Note: P(n) is in fact the arithenetical equa of <P A asi01 A yel).) 


We prove (in P) the folowing thes forme, and then an application of the derived: rule 
(J‘) gives the conchision: — 


oe 


TE se NE ct 


Fat a a a A Rin Oe nee 
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(10122 A y=1) > 3nP(n), 


(*) P(n+l) > <y>P(n), 
P(0) > (2-101 A yel). 


The first and third of these can easily. be seen to be axioms in (B) (ie. Morale, L-wffs). 


We prove the second, (*). 


Abbreviate 100<z A P(n) oe to. Pn), 


122A RW AP(n) to: Palm), | 
and 2<90 A P(n) te Pn). 


Certainly we have that the following is.N valid and hence an axiom: — 
CM): 3: (Py(n) v Pan) v Pa(n)) * Pn), 
and so we prove for i=1,2,3, that 


P\(nel) > <y>P(n) 


and use (**) to conclude (*). We omit the cases t=] and (2 which are reasonably 


straightforward. For i=3 it is sufficient to prove 

P,(n+1) > <a*>(1<y ‘Kies A L222 A nat9-z¢1ly). 
We will actually prove ; 

P,( ntl) > <a®;a;a>(I<y A 100<2 A 12122 A ne89-z+lly), 
which is in fact | 


P3(n+l) > <a®>(2>78 A 8922 A n=89-z¢Lly).. 
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We use (J') again, this time with the convergent 
Q(m): — y>0 A 270 A 2<90 A n=B9-z+lly A m=floor((100-z)/ 11)-1, 


where m=floor(a /b) abbreviates (a2m’b A (m+1)’b>a). 
It can readily be seen that we can prove in P: 


P3( n+l) > ImQ(m), . 
Q(m+l) > <a>Q(m), 
and Q(0) > (2>78 A 892z A n=89-z41ly), 


which completes the proof. : | 
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Appendix C: Example of a Proof of ¢ CFDL-wff in BR. 
We sketch a proof of the partial correctness of the factorial pregram of Section 4.1. 
We prove, using standard een abbreviations : | 
F pleex se*(/)Iyex!, on 
where | 
C(X): = (220? ;yel) u (2980? ;z¢2-1; » 4 szerelsyey’z). 
First ee pioke inR 


(1). caus 
and ; (2) zx > [e*(/) ]yex!, 


and then, using (H), (G) and (E), oe hia the result. 


(1) is trivial using (C). To piove (2) in R we er the derived rule (Ww) as 
follows: Note that ver(t)=(y,z). is 


. R: 2=X, 
Q: y=z!, 
and P:  z'=z A y'=z!, 


We have left to show 


(3) zx >((2'=2 A y'zzt) (Ys) yezt, 
and (4) (2'=2. A y'=2!) > C( 220? syel) u (29807 32¢2-1; tes A yensyir) 
sreatl yey nH zez’ A yer"). 


To prove (3) we use (K), obtaining 


z=x > (Vy",z")((2"3z A y"=2!) > y"=z2"!) 
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which is an axiom in (B). niewae (4), by (FD, (C) snd. (2), sites | bo proving both i 
ts (z'22 A y¥zy) 3 ClO? Nike A sant 


which again is an sition in (B), and 


(6) (x22 A ysy) > Croi@?;re2-1r'sz A yet (2) ; neal 
(dezel A y( rel)". 


The latter we prove by proving in R eo 


(1) (222 A y'sy) > Cevt0? ;x+2-11220, 
pe (8) 220 >E(re2A seat) ot) gored A y(t}. 


The proof of (1). is quite easy using (C), (D), (ED an $3). for ). we apply axtom.(K) 
again, to obtain 


(9) 220 > (Vy" ala A wea > (eer A Pewee, 


which isan axiom in (8). ve aia oo 
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Appendix D: Example of a Proof of a DL*-wff in P*. 
Consider the following program 


a: = (x#8z?5(( x=y? ;xex4l) U xex+2) )* 


_ Assume a state JEN for which x 4=0. Then, starting from 0, x gets increased by 2 as 


long as x does not “hit” z. Also, if x happens to.hity then. one J increase. by Lis 
permitted before the by-2 increases are resumed. Two, 


(a) whether x can be made to skip 2 and 
(b) whether x canbe made to hit z, 


and can be written simply as loop, and <@2x=z respectively. The behavior of a in all 
states of N in which x=0 depends upon whether or not z and y are odd, and also upon 


whether. or not'y<z.. The complete situation is given by the: follwing table where odd(.z): .. 
and sds z) stand for 32'(z=1+2z') and its negation respectively: 


loop K ~Ke>x=2 


: lhe fh INRARER ccd 


 feop, A a>een - 


even(z) 


y<z 


(Note that ~loop,, implies that <a>x=z.) 


pr * of. C which are of 
interest in such states and which depend on the values, in these states, of z and y, are: 
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We now prove that 
x20 3 ineget (eddt2) v (event ydayer})Y 
is N-valid by proving the foliowing thrae Harries ‘tn BP 
"(1 Cnet A coenl a) A Tadity) v vi) = adie, ieee Oey 


(2) ° ‘Cet neat > cei feine, | a ne 
13) Gea bay AT ep 


*é Hy a 


Combining thee gives the required rest. 


(1): We would Hh fe apy the dered at EF: “a UF int te PO to be 


"eaitty) v yas Aan CRB ee pe —— 
Cerny wt hae My 1 a SO asad 
Set x20 n cookin (eda ybas)) mer 


we abo have PEn} hekding, ‘hate mis taht be (1 + (15) /20. We are teft ened 
wth having So: pam imekbakaF Pint to Pty whip betty dais paatil 


. (Peet n xvie} > xy}, - : 
and EPC pel) A xed: > Exexs21P(n), 


ike ft annem ott the Satin lp bei 


(2): Brn re eat ts nny nt EY ying 8 tore. We. 


odd(z) A went), 


ard ey ta sen tat (200 abd s)}2P fa Mra, ad era aston of Atso, 
ane can prove in P that 


woe Dae te ai 


| 13 
P > (xvtz rN CReRDDP), , 
so that we have proved P3<6>*P in P* and can apply (U') to obtain, the, result, . 
(3): Simitarty (U") is used, and, here the divergent Bis taken obo 
yez A even(y) A ((odd(2) A even(x)) v (coven 2) A (y<x. §.edd(x)))). 
It is easy to see that (x=0 A evenly) A y<z)>P. is.N: ral, an we leave to the reader — 


the task of verifying that P><8>*P is provable in Pp (ee fact P2<poP is), and then “8 ri 
application of (U') completes the proof, peed faye er : 


2 HE: apes ee, Feet AEN ES RWS ee iS Pas as a a Be cyte 
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Appendix E: Example of a Proof of a CFDL*-wff mR 

 Considiet the progratn “ 

a: (ueviy (ust suru a Xeae 
for which it is thre cave that | 
He (tt) tmyg)) 
holds. We sketch the proof in R* of one direction, waiely that 
(u20 A odd v)) 2 100p, 

is N-valid. @ is of the ‘a ey, oer we have by definition 


o: (ysta?u (yeatpieatiyeb)), - 
and t'(X): ((uev? u xeb) u ((ustv? u xed) wired U xed) sueu~-2))*(/). 


We apply rule (W) taking R to be (u20 A odd(v)); Q to be faise, and P(n)=P to be 
(even(u) A odd(v) A u'zu A y'=b A x'za AXSaA yza), 


where V=(u,x,y). The third premise of rute(W) is decaf N-valid. Considering the 
second, we can easily prove 


(u'=u A y'=b A x'za A x'za) > eylicaativeubkow A x2x' A yy’) 
and hence establish, by further propositional reasoning 


P > <e>VzV". 
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Also, one can prove 
P > <ustv? sucut2 PY sueu-2>V=V', 


from which the forth premise follows. We are left with having to prove the first premise. 
This is done by proving 


R> VnéxeasyeasPV>ysb 
which simplifies to having to prove 
“eens Sou 
R > <xea;yea;P ° >y=b. 


This again can easily be seen to be provable in R, giving the conclusion, | 
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Errata for MIT/LCS/TR-200, by David Harel. 


Page 43. Rule (H) should read: 


_La3P > falQ — axP.2.3xQ 


Pages 38-39. Theorem 3.1 and its proof should read: 


Theorem 3.1 (Theorem of Completeness): For any universe U and M-extension L(M) of L, a 
_U-sound axiom system P(M) for L(M) is U-complete whenever: 


(1) P(M) is propositionally complete, — 
(2) L is U-expressive for L( M), 


- (3) For any kK, Variable x and I oH -wifs R and Q, 

if Po (RQ) then a (3xR >3xQ), ~ er 
(4) For any k€K and L-wffs R and Q, 

if F,j(R>-(M,)Q) then F (my (R271, )Q). 


Proof: We have to prove that if P is an L(M)-wff such that F)P, then pcm)? 
By the propositional completeness of P(M) we can. assume that P is given in conjunctive 
normal form, and we proceed by induction on the sum n, of the number of appearances of M 
and the number of quantifiers prefixed to non first-order formula, occurring in P. In the. 
case n=0, P is first-order and by the first line in assumption (4) it is provable if it is 
U-valid. Assume that n>0 and that the theorem holds for any formula with n-l1 or less 
appearances of M and such quantifiers. If P is of the form PLAP2 then we have Fy Pl and 
Fy P2, both of which have to be proved in P(M), so that we can restrict our attention to 
a single disjunction. Without loss of generality we can, therefore, assume that P is of 
one of the forms: 


Piv(M, )P2, Piv-(M, )P2, PlvadxP2 or Piv-~dxP2, 
where k€K, and the right-hand side disjunct is not first-order. Thus we are guaranteed 


that in each case P2 has less than n appearances of M and such quantifiers. Let us use 
p to denote (M,) » M,) , 4x or 3x according to which is the case. 


Lis expressive for LCD and dof wiy LON Q TREAD soe L-wtQ) 
which is equivalent to Q. We have then Fy (+P, 2 — fone using assumption (4) 
‘(since Pl; and P2, are L-wffs) we also have: . ety 3 ; 


Epc) (Ply > Pa). 


Now surely, by the definition of Pi, and ra, We have Fy (-P1' 2 Pty} and: 
Fy (P2; = = P2). Both these last formulae have’ es than n appearances ‘of M and ‘such 
quantifiers, and hence by the inductive hypothesis 


CF pg GPL 3 PA) aia 
ur M) (PQ, = P2). 


of the above cases are considered) we can obtain from the fatter. 


2 pomp (P22 0P2. 


From (*), (**) and (***) we get, using zeppmanli, “aan Per 
or Fy) (PlveP2).. o eaves | 
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